Reputation: 1172
How to prevent script tags and other XSS entities from being inserted into the db?
I have a form which contains many text boxes. All the text boxes are required fields. As these are textboxes I can not use specific validation except the length. But i do not want to allow the users to insert tags that are vulnerable to xss attacks.
I know in ColdFusion i can use htmlEditFormat(),encodeForHTML() while displaying user data for preventing XSS, But I just want to prevent those from inserting to db.'GlobalScriptProtect' option also does not add much security as per my knowledge. As I am in CF10, so can not use getSafeHTML()
Is there any way to prevent theses malicious inputs from inserting into the DB in CF10. Can I go for client side sensitization ?
Upvotes: 1
Views: 209
Answers (1)
Reputation: 405
There is a UDF on CFlib.org isXss that checks a value to determine if it is xss. I have used this function and built a custom tag to check every form field and query string field before I submit it to the database. After implementing this, I have been able to pass countless PCI scans and have not had any xss issues.
Upvotes: 5
Related Questions
- ColdFusion XSS Protection with 3 Contexts all-in-one
- XSS Value in Input Tag
- XSS remediation - Improper Neutralization of Script-Related HTML Tags
- How do I prevent SQL injection with ColdFusion
- Securing user input outputted in html with coldfusion
- Methods for preventing SQL Injection in ColdFusion
- What are my options for white-listing HTML in ColdFusion?
- How to handle Script Attack in application
- Prevent XSS attacks site-wide
- ColdFusion how to Prevent XSS Attacks in a WYSIWYG