tags:

views:

140

answers:

4

I have a WYsIWYG editor in my coldfusion app and need to prevent XSS Attacks. Is there any Coldfusion ways to strip out all script type attacks?

+2  A: 

The main question I would ask is what is this WYSIWYG for? Many WYSIWYG's allow you to define specific tags to have stripped out of the code.

For instance you can have TinyMCE strip out the script tags with
http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/invalid_elements

This unfortunately does not solve your problem since all client side data form submissions are circumventable. If you must use a WYSIWYG ,then what you really need to make sure to do is to cover all your bases on the form's validation and display. You can strip out all script tags and make sure to remove any event attributes and javascript code in links href attributes.

If it is acceptable to only allow a specific subset of tags I would suggest either using BBML, BBCode, or Markdown.

http://www.depressedpress.com/Content/Development/ColdFusion/Extensions/DP_ParseBBML/Index.cfm

http://en.wikipedia.org/wiki/BBCode

http://sebduggan.com/projects/cfxmarkdown

You can use TinyMCE as a WYSIWYG for BBCode http://tinymce.moxiecode.com/examples/example_09.php and StackOverflow uses a great markdown editor http://github.com/cky/wmd

Here is some good info if you would like to render BBCode in Coldfusion
http://www.sitepoint.com/forums/showthread.php?t=248040

Tyler Clendenin
A: 

Something to consider is that while stripping the tags out in the browser with TinyMCE is a good idea, it makes a fatal assumption that the user is going to be submitting content via the browser. Anything that you do in the browser needs to be duplicated on the server because attackers can bypass any validation that happens in the browser.

With that said check this article: http://www.fusionauthority.com/techniques/3908-how-to-strip-tags-in-three-easy-lessons.htm which spells this out in more detail than I could here. Basically it discusses using regex and UDFs to strip tags out easily. The last example is particularly important... check it out.

Daniel Sellers
I don't even want to bother with the Front-end, and want a 100% server solution
AnApprentice
That's a good link. It is a little concerning to rely on given it's 7 years old :)
AnApprentice
The principles outlined in the article are as valid today as they were 7 years ago. You want to make sure that you are getting exactly the kind of value you expect.
Daniel Sellers
A: 

To convert these tags <> or use HTMLEditformat function.

ppshein