Seybsen
Reputation: 15572
Securing user input outputted in html with coldfusion
When an user searchs a page I add ?q=[searchterm] to my URL and output something like this:
Your search result for <CFOUTPUT>#htmleditformat(URL.q)#</CFOUTPUT>:
A while ago I read that htmleditformat() is not enough and XSS can still be executed
(... for example if somebody sends a link to a victim like http://example.com/?q=[evilXSS]).
I also save URL.q to a database (I'm using ORM in this case):
<CFSET myobject.setKeyword(URL.q) />
but for now I'm intereseted how to securely output the userdata to the browser.
Upvotes: 4
Views: 290
Answers (1)
Barry Jordan
Reputation: 2706
You can also use xmlFormat(), described here. It escapes more characters than htmlEditFormat() such as Single-quotation marks and high ASCII characters in the range 159-255.
If you want more control you can use Javas StringEscapeUtils directly.
Upvotes: 3
Related Questions
- ColdFusion CSRF XSS attack prevention
- ColdFusion XSS Protection with 3 Contexts all-in-one
- XSS Value in Input Tag
- How to prevent script tags and other XSS entities from being inserted into the db?
- What are my options for white-listing HTML in ColdFusion?
- How can I sanitize user input but keep the content of <pre> tags?
- How to handle Script Attack in application
- Prevent XSS attacks site-wide
- How to encode HTML form in coldfusion?
- ColdFusion how to Prevent XSS Attacks in a WYSIWYG