4 Replies Latest reply on Sep 8, 2015 8:54 AM by WolfShade

    Portcullis CFC breaking AJaX submitted form

    WolfShade Level 4

      Hello, all,

       

      Is anyone else, here, using the Portcullis CFC??

       

      I've got a form that is submitting via AJaX, and as long as I have JavaScript stripping out malicious code, it works great.  But if I disable the client-side validation/sanitization and allow Portcullis to detect malicious code, Portcullis is set to redirect to the root index page if it detects anything.  (I have further server-side validation/sanitization, in case JS is disabled.)

       

      Since my form is submitted via AJaX and uses output to display error/success messages to the DOM, Portcullis is loading the main page as the content to display within the DOM of the form page!!

       

      I do NOT have the option of disabling or otherwise skirting using Portcullis.  I've tried modifying the Application.cfc to check the cgi.http_referer - if a particular page is the referrer, don't redirect. It's redirecting, anyway.

       

      Any solutions to this without disabling Portcullis?

       

      V/r,

       

      ^_^

        • 1. Re: Portcullis CFC breaking AJaX submitted form
          Jamo Level 2

          Are you testing FORM or URL variables (or both)?  Are you dumping (or emailing) the failed form/URL parameters so you can determine what may be triggering it?  What type of redirect are you performing?  (I'm returning a 403 error instead of redirecting.)

          • 2. Re: Portcullis CFC breaking AJaX submitted form
            WolfShade Level 4

            Hi, Jamo,

             

            I am testing both form and URL scopes.  If anything is found, it doesn't email or anything, it just redirects to the /index.cfm page.

             

            I know _what_ is triggering it - I'm testing by placing HTML tags and HTML entities into a textarea.  But I need to figure a way to get it to display an error message if triggered by a specific cgi.http_referer.  In the Application.cfc, there is a line:

             

            <cfif session.redirect eq 1>
                <cflocation url="/" addtoken="no" />
            </cfif>
            

             

            I modified this to:

            <cfif session.redirect eq 1>
                <cfif trim(cgi.http_referer) eq "formpage.cfm">
                    Please correct the following: blah blah blah <cfabort>
                <cfelse>
                    <cflocation url="/" addtoken="no" />
                </cfif>
            </cfif>
            

             

            .. but the root index page still appears within the DOM of the form page.

             

            V/r,

             

            ^_^

            • 3. Re: Portcullis CFC breaking AJaX submitted form
              Jamo Level 2

              CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

               

              Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

               

              Which version of ColdFusion and hosted OS are you using?

               

              We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

                  JSOUP - How to get list of disallowed tags found in html?

                  http://stackoverflow.com/a/30822689/693068

               

              AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

              https://www.petefreitag.com/item/760.cfm

               

              or ESAPI4CF:

              https://github.com/damonmiller/esapi4cf

              • 4. Re: Portcullis CFC breaking AJaX submitted form
                WolfShade Level 4

                Thank you for replying.  This is soon to be a non-issue.  The decision has been reached (and I like to think I helped push it along) to kick Portcullis to the curb - mostly because the last version was released January 2010.  I am now in the process of trying to implement the new ESAPI for sanitization.  So, I'll now be posting a question in the forum related to that. 

                 

                Thanks, and V/r,

                 

                ^_^