Blog

Brad Wood

March 28, 2013

Spread the word


Share your thoughts

If your site ever displays text on the page that end users have control over, you should be concerned about XSS attacks.  This could come in the form of user comments at the bottom of an article, user-generated content, or user profile information.  In many instances, the user should never be entering any HTML and you might simply fully escape that text with HTMLEditFormat() or EncodeForHTML() as you output it.

Other times you may be dealing with a forum or message board that allows some limited markup like bold or underline, but not script or object tags, etc.  There is a very nice Java library from OWASP called AntiSamy that does just that.  AntiSamy is named after the first wide-scale XSS worm ever developed; called Samy.  This worm used malicious JavaScript embeded in MySpace profiles and to infect over 1 million accounts in a single day.

What's cool about AntiSamy is you can create different profiles that control what HTML is valid and what isn't.  This gives you complete control over what text you allow to be stored and output on your site.  Instead of escaping forbidden tags and attributes, AntiSamy removes them entirely from the string.

ColdBox has an AntiSamy plugin to let you tap into this powerful library.  In its simplest form, it looks like this:

#getPlugin("antisamy").clean("<b>Hello <script language='javascript'>alert('haxor!');</script> World</b>")#

Despite the JavaScript block in the middle of the string, the output is "<b>Hello World</b>".  As you can see, the  bold tag is benign and is left alone.  

More info here: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm

P.S. The ColdBox AntiSamy plugin ships with several policies such as ebay (default), myspace, slashdot, and tinymce stored as XML files in /coldbox/system/plugins/AntiSamy-lib/.  If you want to roll up your sleeves, you can even supply a policy of your own making.

Add Your Comment

Recent Entries

Adobe CFSummit 2024 Recap | Ortus Solutions

Adobe CFSummit 2024 Recap | Ortus Solutions

A huge thank you to everyone who visited our booth! We had the pleasure of engaging in meaningful conversations about Modern CFML and ColdFusion development, sharing insights, and exploring exciting new ideas. Visitors also got a chance to participate in some fun activities and win fabulous prizes, including our customized t-shirts, which were a huge hit!

Maria Jose Herrera
Maria Jose Herrera
October 02, 2024
BoxLang September Newsletter

BoxLang September Newsletter

Welcome to the September edition of the BoxLang Newsletter! This month has been packed with exciting updates, new features, and enhancements that continue to shape BoxLang into a robust and versatile programming language. In this edition, we highlight the latest beta releases, new integrations, and key features that have been introduced.

Maria Jose Herrera
Maria Jose Herrera
October 01, 2024
Fall Savings: Unlock Exclusive Discounts Until October 31st!

Fall Savings: Unlock Exclusive Discounts Until October 31st!

Get ready for the Ortus October Fall Savings! This is your opportunity to elevate your development experience with fantastic offers designed for everyone—from seasoned developers to tech enthusiasts. Our special promotions are here to help you achieve your goals while saving money!

Don’t Miss Out on These Amazing Offers!

Use the code FALLSAVINGS24 at checkout to enjoy these incredible discounts before they expire on October 31st

Cristobal Escobar
Cristobal Escobar
October 01, 2024