I've been pretty happy with the CodeCleaner tag. http://tinyclick.com/?W1YQRV
Uses cfscript w/regexes, seems fast, thorough and provides options on handling. MX' code analyzer squawks about a couple of the regexes, but after some testing it still seemed to work fine. The ''script block remover'' only removes the script tags in MX; haven't tested to see if that was the behavior under older CFs. --Matt Robertson-- MSB Designs, Inc. http://mysecretbase.com -----Original Message----- From: Robert Everland [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 6:21 AM To: CF-Talk Subject: RE: security: attacks through submission of script Or just add this to your application .cfm, allaire released it a while ago. Works great. The tag is from <cfsilent> to </cfsilent> <cfmodule template="customTags/inputfilter.cfm" scopes = "FORM,COOKIE,URL" chars = "),(,%,&,$,*,<,>,;" tags = "SCRIPT,OBJECT,APPLET,EMBED,FORM,LAYER,ILAYER,FRAME,IFRAME,FRAMESET,PARA M,ME TA,TABLE,TD,TH,TR,HEAD,BODY,FONT,A,IMG,B,U,I,OL,UL"> <cfsilent> <!--- Template: inputfilter.cfm Author: Peter Muzila Source Control: $Header: $ Description: The cf_inputFilter tag removes characters or tags from all fields coming from the specified scopes (form,cookie, or url). This tag can be placed in the Application.cfm file to filter out any input coming thru these scopes to any of the templates belonging to the application.cfm file. This tag can be executed only with CF 4.5 or higher Usage: <cf_inputFilter scopes = "[FORM][,COOKIE][,URL]" chars = "list_of_chars" tags = "ALL|list_of_tags" > Attributes: scopes (string list, required) - comma-delimited list of input scopes to be filtered chars (string, optional) - string containing set of characters to be filtered out from the input scope tags (string list, optional) - comma-delimited list of tag names to be filtered out from the input scope ---> <!--- attributes validation ---> <cfparam name="attributes.scopes"> <cfparam name="attributes.chars" default=""> <cfparam name="attributes.tags" default=""> <cfscript> // prepare reg expression for the tag search reTags = "" ; if ( attributes.tags eq "ALL" ) // re for any tag - "<*>" reTags = "<[^>]*>" ; else if ( attributes.tags neq "" ) // re for any of the listed tags - "<tag1|tag2|...|tagN>" reTags = "</?(#ListChangeDelims(attributes.tags, '|', ',' )#)[^>]*>" ; // get comma-delimited list of chars from char set charList = attributes.chars; </cfscript> <cfloop list="#attributes.scopes#" index="scopeName"> <cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)> <cfscript> // get the handle for the scope (form, cookie, url) s = Evaluate( scopeName ) ; // scroll thru fields in the scope and handle only simple values for ( field in s ) if ( IsSimpleValue( s[field] ) ) { // replace tags if ( reTags neq '' ) s[field] = REReplace( s[field], reTags, "", "ALL" ) ; // replace chars if ( charList neq '' ) s[field] = ReplaceList( s[field], charList, "" ) ; } </cfscript> </cfif> </cfloop> </cfsilent> Robert Everland III Web Developer Extraordinaire Dixon Ticonderoga Company http://www.dixonusa.com -----Original Message----- From: Trusz, Andrew [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 7:12 AM To: CF-Talk Subject: RE: security: attacks through submission of script Since nobody else seems to have responded, I'll give it a quick pass. Data from forms needs to be validated. Regular expressions on the server side do this nicely (including dealing with sql insertion attack), if you construct them carefully. You can also check for the referring page to be sure it comes from your server. Yes, that means one set of validating scripts for the client before submission and another on the action page to filter attacks. Slower? A little. Safer? Oh yes! Javascript is indeed generally safe in and of itself. Most of the egregious security holes have long since been patched. But that doesn't mean proprietary implementations won't open new holes. The major holes now are in html email. Attacks through forms don't usually use javascript, other scripts or commands are sent thru the forms. For a quick fix you might yu might look at "Hack Proofing Your Web Application", Jeff Forristal and Julie Traxler, Syngress Press. And for hacking itself, the old reliable "Hacking Exposed" which may now be in a 3 edition from Osborne. Lots of good web references as well, but watch the source. andy -----Original Message----- From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 4:09 PM To: CF-Talk Subject: security: attacks through submission of script Hi. I am evaluating the security of my application as regards malicious attack via manipulation of the Cookie, URL, or Form variables. I know about the business with submission of unauthorized SQL statements, and have already screened for it. But then there is the issue of unauthorized script insertion. For example, if a form asks for a value (FormVar) and the action page displays that value (<CFOUTPUT>#Form.FormVar#</CFOUTPUT>), the educated user can submit things other than those intended, causing interesting results. If they enter <font color="red">Check this out!</font>, the next page will display Check this out! in red letters. I have also successfully passed JavaScript like this. Going on my basic (and hopefully correct) assumption that JavaScript is set up so that it cannot (a) harm the user's machine or (b) harm the server, I am not going to worry about this, since the worst a user will do is pass themselves a JavaScript routine that produces an error. That is fine for client-side scripting, but I am worried about server-side scripting. Submission of ColdFusion code through these variables shouldn't matter, since it won't appear in the template until after ColdFusion processing has occurred, meaning that the inserted code itself will not be processed. Are there any other scripting languages, though, that would be evaluated on the server side AFTER the CFAS processes the template? Thanks, Matthieu ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
