Re: Santizing User Input
The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349760 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
I second that. The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349761 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
Sorry for the OT post but I could not help but think of Little Bobby Tables. http://imgs.xkcd.com/comics/exploits_of_a_mom.png G! On Thu, Feb 2, 2012 at 9:42 PM, Andrew Grosset rushg...@yahoo.com wrote: I second that. The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349762 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Santizing User Input
I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349726 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
That VB script just uses a regular expression (already written for you). All you need to do is use it in conjunction with ColdFusion's built-in `reFind()` or `reFindNoCase()` functions. http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7e9a.html http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7e99.html So, something like so: if ( reFind( ^[\w\.:\?=/]*$ , myString ) ) { // oops, they failed... handle appropriately } HTH On Wed, Feb 1, 2012 at 3:33 PM, douglas cohn douglas.c...@gmail.com wrote: I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349727 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Santizing User Input
You can wrap any user input in xmlformat() to rid yourself of any special characters. I would use that around the function that sends the stuff to your security software. -Original Message- From: Matt Quackenbush [mailto:quackfu...@gmail.com] Sent: Wednesday, February 01, 2012 3:46 PM To: cf-talk Subject: Re: Santizing User Input That VB script just uses a regular expression (already written for you). All you need to do is use it in conjunction with ColdFusion's built-in `reFind()` or `reFindNoCase()` functions. http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-7e9a.html http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-7e99.html So, something like so: if ( reFind( ^[\w\.:\?=/]*$ , myString ) ) { // oops, they failed... handle appropriately } HTH On Wed, Feb 1, 2012 at 3:33 PM, douglas cohn douglas.c...@gmail.com wrote: I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349737 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349738 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm