0

I have a value coming in that will ultimately be an html id= attribute. I don't have control over what set the value, so it is possible that it is not safe. I know to check for single quotes and double quotes, but ow do I check to make sure that it clean?

                                variables.result &= '<div class="alert alert-danger"';
if(attributes.id        != "")  variables.result &= ' id="#attributes.id#"';
James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • Search for escape html (attribute). Then don't matter what it is.. But an attacker could still shadow ids. – user2864740 Sep 25 '15 at 00:32
  • 1
    Not sure if I understand what you want, but my guess is: `' id="#encodeForHtmlAttribute(attributes.id)#"'` – Alex Sep 25 '15 at 00:33
  • Does that work with style and class too? – James A Mohler Sep 25 '15 at 00:53
  • 1
    Instead of worrying about what to filter out, decide what you want to allow and use regex to limit the input to those characters. – Dan Bracuk Sep 25 '15 at 00:56
  • @JamesAMohler Yes, it will escape all characters that would "leave" the tag attribute. But keep in mind that this is for sanitizing input, not validating. People could still submit invalid ids and classes (containig bad characters that are not allowed by specifications). It would not be a security issue, but the values would be useless. – Alex Sep 25 '15 at 07:54
  • _Does that work with style and class too?_ - There are several [encodeFor... functions included with ColdFusion 10 and 11](https://wikidocs.adobe.com/wiki/display/coldfusionen/Functions+e-g). For example there is also an `encodeForCSS` function. They are to be used specifically for the referenced type. – Miguel-F Sep 25 '15 at 13:55
  • @Miguel-F I ended up using your suggestion – James A Mohler Sep 26 '15 at 06:24

2 Answers2

1

If I understand you correctly then this might be what you're looking for:

http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer

EDIT: in PHP:

What's the best method for sanitizing user input with PHP?

EDIT2: didn't see you are using coldfusion, maybe this is it:

Cleansing string / input in Coldfusion 9

Community
  • 1
  • 1
Orry
  • 659
  • 6
  • 21
1

If using ColdFusion to generate the variable name, you could use the "variablise" method of the Inflector CFC. It will convert any string into a safe underscore-separated list that can be used as a ColdFusion variable name. (Inflector is based on the Ruby on Rails ActiveSupport::Inflector class.)

https://github.com/timblair/coldfusion-inflector

<cffunction name="variablise" access="public" returntype="string" output="no" hint="Converts a string to a variable name, e.g. CamelCase becomes camel_case, 'big CSSDogThing' becomes big_css_dog_thing etc.">
    <cfargument name="string" type="string" required="yes" hint="The string to variablise">
    <cfset arguments.string = replace(trim(rereplace(arguments.string, "([^[:alnum:]_-]+)", " ", "ALL")), " ", "-", "ALL")>
    <cfset arguments.string = rereplace(arguments.string, "([A-Z]+)([A-Z][a-z])", "\1_\2", "ALL")>
    <cfset arguments.string = rereplace(arguments.string, "([a-z\d])([A-Z])", "\1_\2", "ALL")>
    <cfreturn lcase(replace(arguments.string, "-", "_", "ALL"))>
</cffunction>
James Moberg
  • 4,360
  • 1
  • 22
  • 21