Okay.. since there's really no good way to use regular expressions to 
strip HTML attributes that may contain javascript... I decided to write 
a UDF that detects possible javacript in user published content.  For 
example, if you allow users to enter anchor tags, you need to prevent 
them from attaching unwelcome javascript via things like onmouseover, 
onclick, etc

This could also be used to detect style attributes and other unwanted items.

So... How does this UDF look?

<cfscript>
function findScript(str)
{
        var badAttributes = 
"onblur,onfocus,oncontextmenu,onresize,onscroll,onunload,onclick,ondblclick,onmousedown,onmouseup,onmouseover,onmouseout,onmouseenter,onmouseleave,onmousemove,onchange,onreset,onselect,onsubmit,onkeydown,onkeypress,onkeyup,onabort";
        var loc = 0;
        var i = 0;
        var att = '';
                
        for (i=1; i lte listLen(badAttributes); i = i + 1)
        {
                att = listgetat(badAttributes,i);
                loc = REFindNoCase("<[A-Z]*\s+[^>]*#att#=.*?>",str);
                if (loc gt 0) {
                        return true;
                }
        }
        return false;
}
</cfscript>
<cfscript>
function findScript(str)
{
        var badAttributes = 
"onblur,onfocus,oncontextmenu,onresize,onscroll,onunload,onclick,ondblclick,onmousedown,onmouseup,onmouseover,onmouseout,onmouseenter,onmouseleave,onmousemove,onchange,onreset,onselect,onsubmit,onkeydown,onkeypress,onkeyup,onabort";
        var loc = 0;
        var i = 0;
        var att = '';
                
        for (i=1; i lte listLen(badAttributes); i = i + 1)
        {
                att = listgetat(badAttributes,i);
                loc = REFindNoCase("<[A-Z]*\s+[^>]*#att#=.*?>",str);
                if (loc gt 0) {
                        return true;
                }
        }
        return false;
}
</cfscript>

<cfsavecontent variable="myString">
<a href="http://www.foo.com"; onmouseover="alert('Hi')">Click 
here!</a></cfsavecontent>
<cfoutput>#findScript(myString)#</cfoutput>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262008
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to