cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Any need to use xmlFormat() if I enable Global Script Protection?

pbk-nFjYI4
New Here ,
Nov 12, 2010 Nov 12, 2010

Copy link to clipboard

Copied

My site displays a lot of user-supplied data, so I am concerned about XSS attacks.  I have been using xmlFormat() when displaying user input.  What I am wondering is whether enabling Global Script Protection in the CF Admin gives me all the protection that xmlFormat or htmlEditFormat does.  If so, I'd rather check that one box than have to remember to use xmlFormat all the time.  So is Global Script Protection all I really need?

Thanks.

Pete

TOPICS
Advanced techniques

Views

494

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Dave Watts Community Expert
Community Expert , Nov 13, 2010 Nov 13, 2010

http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect

http://www.petefreitag.com/item/362.cfm

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Votes

Translate

Translate
replies 3 Replies 3
latest latest Jump to latest reply
Dave Watts Community Expert
Community Expert ,
Nov 12, 2010 Nov 12, 2010

Copy link to clipboard

Copied

The XmlFormat function isn't intended to provide XSS protection. It simply escapes XML metacharacters so that you can use the values containing those characters within an XML document. So, that's not a good approach.

The Global Script Protection is a nice idea, but it's incomplete - it simply looks for a list of specific terms and excludes them from inputs.

So, in conclusion, I recommend that you use HtmlEditFormat.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
pbk-nFjYI4
New Here ,
Nov 13, 2010 Nov 13, 2010

Copy link to clipboard

Copied

In Response To Dave Watts

Dave: Thanks for your explanation.  I see that Adobe's CF documentation seems to imply that Global Script Protection (I'll call it GSP) is just as good as htlmeditformat in terms of protection against XSS.  Here is what Adobe says:

"This function [htmlEditFormat] can be used to help protect ColdFusion pages that return user-provided data to the client browser from cross-site scripting attacks. However, the scripprotect attribute of the cfapplication tag or the equivalent This.scriptProtect variable setting in Application.cfc can be preferable in most instances, because you only need to specify it once for an application."

You seem to be saying that there are cases where GSP will not protect against certain types of XSS attack, while htmlEditFormat will.  Would you have an example?

Pete

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Nov 13, 2010 Nov 13, 2010

Copy link to clipboard

Copied

LATEST
In Response To pbk-nFjYI4

http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect

http://www.petefreitag.com/item/362.cfm

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices