Request Scrubber: ColdFusion XSS Protection

By Bradley Wayne Moore | Published 8 months ago
permalink

onRequestStart is by far my favorite ColdFusion function. You can do a whole lot of awesome with it.

I always start onRequestStart with a call to scrubRequest().

It converts special characters to their HTML escaped values and removes tags.

The combination of these two techniques has removed a lot of cross-site scripting (XSS) vulnerabilities from my applications.

	
	<cffunction name= "onRequestStart">
		<cfargument name= "thePage"
			required = true
			hint = "I am the target page" />
		
		<!--- Run Request Scrubber Before Anything Else --->
		<cfset scrubRequest() />
		
		<!--- Application Related Stuff --->

		<cfcontent reset= true /><cfreturn true />
	</cffunction>
	
	<cffunction name= "scrubRequest"
		output= false access= private
		hint = "I attempt to remove attacks and setup the request">

		<cfscript>
		var key = "";

		if( isDefined( "form" ) ) {
			for ( key in form ) {
				form[ key ] = htmlEditFormat( form[ key ] );
				form[ key ] = reReplaceNoCase( form[ key ] ,
					"<[^>]*>" , "" ,
					"all" );
			
			}

		}

		for ( key in url ) {
			url[ key ] = htmlEditFormat( url[ key ] );
			url[ key ] = reReplaceNoCase( url[ key ] ,
				"<[^>]*>" , "" ,
				"all" );

		}
			
		</cfscript>

	</cffunction>

Please keep in mind that this is not a complete solution, but it is very effective. You still need to do your own validations and whenever possible use a whitelist.