Can I get reliable XSS protection in CF11 that I can apply to the entire site without touching every request or input?

Question

Can I get reliable XSS protection in CF11 that I can apply to the entire site without touching every request or input?

So, currently I'm using CF11 and CFWheels 1.1, the Global Script Protection (GSP) feature does a terrible job of covering XSS databases. I would like to expand it to block any and all tags / vectors for JS from being inserted into the database.

CF11 offers anti-spam protection through the getSafeHTML () function, which applies the xml policy file specified in application.cfc, but I still need to change each individual cfqueryparam varchar file in the application to use it correctly?

Is there a way to get CF11 to turn on a server or application with antispasse capabilities in the same way as the GSP function? I mean, GSP automatically breaks the input tags sent to the application, without the need to change all requests / forms. I would like to use the antisamy or getSafeHTML () policy file in the same way.

Thank!

+4

javascript coldfusion xss cfwheels antisamy

gnarbarian 25 sept. '14 at 2:10

source share

3 answers

Ray, - , . , , . , . , , ; , , . . ; - - , - , , , - 3-2-4. .

, , Global Script Protection . , , cf_root/lib/neo-security.xml , cf_root/WEB-INF/cfusion/lib/neo-security.xml JEE . , ColdFusion , CrossSiteScriptPatterns.

:

<var name='CrossSiteScriptPatterns'>
    <struct type='coldfusion.server.ConfigMap'>
        <var name='&lt;\s*(object|embed|script|applet|meta)'>
            <string>&lt;InvalidTag</string>
        </var>
    </struct>
</var>

, Script , <object <embed <script <applet <meta <InvalidTag. , , .

.

+2

Miguel-F 25 . '14 12:17

, cfwheels 1.1:

I used the slashdot file from https://code.google.com/p/owaspantisamy/downloads/list

This is done in application.cfc:

<cfcomponent output="false">
    <cfset this.security.antisamypolicy="antisamy-slashdot-1.4.4.xml">      
    <cfinclude template="wheels/functions.cfm">     
</cfcomponent>

This is in the file /ProjectRoot/events/onrequeststart.cfm

    function xssProtection(){
var CFversion = ListToArray(SERVER.ColdFusion.productversion);
if(CFversion[1]GTE 11){
    for(var key in form) {
        if(not IsJSON(form[key])){
            form[key] = getSafeHTML(form[key]);
        }
    }
    for(var key in url) {
        if(not IsJSON(url[key])){
            url[key] = getSafeHTML(url[key]);
        }
    }
}

} xssProtection ();

0

gnarbarian 25 sept. '14 at 21:44

source share

Raymond Camden · Accepted Answer · 2014-09-25T10:33:00+0000

? (varchar) . . , , , html, "" html, . , - , html . , , getSafeHTML.

- . () " " imo. .

, onRequestStart URL. , , :

function onRequestStart(string req) {
    for(var key in form) { form[key] = getSafeHTML(form[key]); }
    for(var key in url) { url[key] = getSafeHTML(url[key]); }
}

Can I get reliable XSS protection in CF11 that I can apply to the entire site without touching every request or input?

More articles: