Copy link to clipboard
Copied
My site displays a lot of user-supplied data, so I am concerned about XSS attacks. I have been using xmlFormat() when displaying user input. What I am wondering is whether enabling Global Script Protection in the CF Admin gives me all the protection that xmlFormat or htmlEditFormat does. If so, I'd rather check that one box than have to remember to use xmlFormat all the time. So is Global Script Protection all I really need?
Thanks.
Pete
http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect
http://www.petefreitag.com/item/362.cfm
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Read this before you post:
http://forums.adobe.com/thread/607238
Copy link to clipboard
Copied
The XmlFormat function isn't intended to provide XSS protection. It simply escapes XML metacharacters so that you can use the values containing those characters within an XML document. So, that's not a good approach.
The Global Script Protection is a nice idea, but it's incomplete - it simply looks for a list of specific terms and excludes them from inputs.
So, in conclusion, I recommend that you use HtmlEditFormat.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Read this before you post:
http://forums.adobe.com/thread/607238
Copy link to clipboard
Copied
Dave: Thanks for your explanation. I see that Adobe's CF documentation seems to imply that Global Script Protection (I'll call it GSP) is just as good as htlmeditformat in terms of protection against XSS. Here is what Adobe says:
"This function [htmlEditFormat] can be used to help protect ColdFusion pages that return user-provided data to the client browser from cross-site scripting attacks. However, the scripprotect attribute of the cfapplication tag or the equivalent This.scriptProtect variable setting in Application.cfc can be preferable in most instances, because you only need to specify it once for an application."
You seem to be saying that there are cases where GSP will not protect against certain types of XSS attack, while htmlEditFormat will. Would you have an example?
Pete
Copy link to clipboard
Copied
http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect
http://www.petefreitag.com/item/362.cfm
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Read this before you post:
http://forums.adobe.com/thread/607238