Cleansing string / input in Coldfusion 9

Question

I have been working with Coldfusion 9 lately (background in PHP primarily) and I am scratching my head trying to figure out how to 'clean/sanitize' input / string that is user submitted.

I want to make it HTMLSAFE, eliminate any javascript, or SQL query injection, the usual. I am hoping I've overlooked some kind of function that already comes with CF9.

Can someone point me in the proper direction?

Answer 1

Well, for SQL injection, you want to use CFQUERYPARAM.

As for sanitizing the input for XSS and the like, you can use the ScriptProtect attribute in CFAPPLICATION, though I've heard that doesn't work flawlessly. You could look at Portcullis or similar 3rd-party CFCs for better script protection if you prefer.

Answer 2

This an addition to Kyle's suggestions not an alternative answer, but the comments panel is a bit rubbish for links.

Take a look a the ColdFusion string functions. You've got HTMLCodeFormat, HTMLEditFormat, JSStringFormat and URLEncodedFormat. All of which can help you with working with content posted from a form.

You can also try to use the regex functions to remove HTML tags, but its never a precise science. This ColdFusion based regex/html question should help there a bit.

You can also try to protect yourself from bots and known spammers using something like cfformprotect, which integrates Project Honeypot and Akismet protection amongst other tools into your forms.

Answer 3

You've got several options:

1. "Global Script Protection" Administrator setting, which applies a regular expression against post and get (i.e. FORM and URL) variables to strip out <script/>, <img/> and several other tags
2. Use isValid() to validate variables' data types (see my in depth answer on this one).
3. <cfqueryparam/>, which serves to create SQL bind parameters and validate the datatype passed to it.

That noted, if you are really trying to sanitize HTML, use Java, which ColdFusion can access natively. In particular use the OWASP AntiSamy Project, which takes an HTML fragment and whitelists what values can be part of it. This is the same approach that sites like SO and slashdot.org use to protect submissions and is a more secure approach to accepting markup content.

Answer 4

Sanitation of strings in coldfusion and in quite any language is very important and depends on what you want to do with the string. most mitigations are for

• saving content to database (e.g. <cfqueryparam ...>)
• using content to show on next page (e.g. put url-parameter in link or show url-parameter in text)
• saving files and using upload filenames and content

There is always a risk if you follow the idea to prevent and reduce a string by allow basically everything in the first step and then sanitize malicious code "away" by deleting or replacing characters (blacklist approach). The better solution is to replace strings with rereplace(...) agains regular expressions that explicitly allow only the characters needed for the scenario you use it as an easy solution, whenever this is possible. use cases are inputs for numbers, lists, email-addresses, urls, names, zip, cities, etc.

For example if you want to ask for a email-address, you could use

<cfif reFindNoCase("^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.(?:[A-Z]{5})$", stringtosanitize)>...ok, clean...<cfelse>...not ok...</cfif>

(or an own regex). For HTML-Imput or CSS-Imput I would also recommend OWASP Java HTML Sanitizer Project.