Re: Santizing User Input
The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349760 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
I second that. The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349761 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
Sorry for the OT post but I could not help but think of Little Bobby Tables. http://imgs.xkcd.com/comics/exploits_of_a_mom.png G! On Thu, Feb 2, 2012 at 9:42 PM, Andrew Grosset rushg...@yahoo.com wrote: I second that. The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349762 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Santizing User Input
I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349726 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
That VB script just uses a regular expression (already written for you).
All you need to do is use it in conjunction with ColdFusion's built-in
`reFind()` or `reFindNoCase()` functions.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7e9a.html
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7e99.html
So, something like so:
if ( reFind( ^[\w\.:\?=/]*$ , myString ) )
{
// oops, they failed... handle appropriately
}
HTH
On Wed, Feb 1, 2012 at 3:33 PM, douglas cohn douglas.c...@gmail.com wrote:
I recently received a notice that my PCI security scan failed.
One further review it seems we have a PDF that we use to show some of our
products and the PDF was created from a POWERPOINT Presentation.
It appears there is a single HTM page that caused the alert. The company
stated the following (see below). What I am looking for is a way to
control user input within CF. I found an MS page that has a VB script but
would prefer something in CF.
http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx
From the Security Company
You will need to make sure all user input is being sanitized of all
special characters. This may not be bringing up the alert, but because the
special characters are not sanitized, it leaves open the possibility that a
malicious attacker could get their scripts to execute.
Thanks so much for any assistance
Doug
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349727
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Santizing User Input
You can wrap any user input in xmlformat() to rid yourself of any special
characters. I would use that around the function that sends the stuff to
your security software.
-Original Message-
From: Matt Quackenbush [mailto:quackfu...@gmail.com]
Sent: Wednesday, February 01, 2012 3:46 PM
To: cf-talk
Subject: Re: Santizing User Input
That VB script just uses a regular expression (already written for you).
All you need to do is use it in conjunction with ColdFusion's built-in
`reFind()` or `reFindNoCase()` functions.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08
11cbec22c24-7e9a.html
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08
11cbec22c24-7e99.html
So, something like so:
if ( reFind( ^[\w\.:\?=/]*$ , myString ) ) {
// oops, they failed... handle appropriately }
HTH
On Wed, Feb 1, 2012 at 3:33 PM, douglas cohn douglas.c...@gmail.com wrote:
I recently received a notice that my PCI security scan failed.
One further review it seems we have a PDF that we use to show some of
our products and the PDF was created from a POWERPOINT Presentation.
It appears there is a single HTM page that caused the alert. The
company stated the following (see below). What I am looking for is a
way to control user input within CF. I found an MS page that has a VB
script but would prefer something in CF.
http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx
From the Security Company
You will need to make sure all user input is being sanitized of all
special characters. This may not be bringing up the alert, but because
the special characters are not sanitized, it leaves open the
possibility that a malicious attacker could get their scripts to execute.
Thanks so much for any assistance
Doug
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349737
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Santizing User Input
The AntiSamy project is maybe the best way to sanitize any user input out there. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Thu, Feb 2, 2012 at 8:33 AM, douglas cohn douglas.c...@gmail.com wrote: I recently received a notice that my PCI security scan failed. One further review it seems we have a PDF that we use to show some of our products and the PDF was created from a POWERPOINT Presentation. It appears there is a single HTM page that caused the alert. The company stated the following (see below). What I am looking for is a way to control user input within CF. I found an MS page that has a VB script but would prefer something in CF. http://msdn.microsoft.com/en-us/library/ms525361%28v=vs.90%29.aspx From the Security Company You will need to make sure all user input is being sanitized of all special characters. This may not be bringing up the alert, but because the special characters are not sanitized, it leaves open the possibility that a malicious attacker could get their scripts to execute. Thanks so much for any assistance Doug ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349738 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
