"Safe Scripting"
Vol. 2, Iss.7, p.6
 
Listing 1
<html>
<head>
<title>Cross-Site Scripting Example Login Page</title>
</head>
<body>
<form action="login2.cfm" method="GET">
Username: <input type= "Text"name="username"><br>
Password: <input type= "password"name="password"><br>
<input type="Submit" name="submit">
</form>
</body>
</html>
 
Listing 2
<html>
<head>
<title>Cross-Site Scripting Example</title>
</head>
<body>
<cfoutput>
Hello #username#
</cfoutput>
</body>
</html>
 
Listing 3
<html>
<head>
<title>Cross-Site Scripting Example</title>
</head>
<body>
Hello <script> alert('By Jove, I\'ve been hacked');</script>
</body>
</html>
 
Listing 4
function filterAll( ){
document.forms[0].username.value = RemoveBad(document.forms[0].username.value);
document.forms[0].password.value = RemoveBad(document.forms[0].username.value);
return true;
}
//Function RemoveBad taken directly from Microsoft's Knowledge Base article Q25985
function RemoveBad(strTemp){
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
return strTemp;
}
 
Listing 5
<!---
***************************************************************************
Name: cf_filter
Description: used to check all field, URL, session and client variables and all cookies for illegal (potentially malicious) characters. Modify the FindNoCase line to filter characters desired; however, this should catch 99.9% of malicious tags. When a illegal character is found this tag throws an exception.
INPUTS: checkfield - yes or no to check fields
checkurl - yes or no to check URL
checkcookie - yes or no to check cookies
checkclient - " " to check client vars
checksession - """ to check session vars
example: <cf_filter checkfields="yes" checkurl="no" checkcookie="yes" checkclient="yes"
checksession="yes">
*******************************************************************************
--->
<!--- set the parameters you wish to check --->
<cfif isdefined("attributes.checkfield")>
<cfset checkfield = attributes.checkfield>
<cfelse>
<cfset checkfield = "yes">
</cfif>
<cfif isdefined("attributes.checkurl")>
<cfset checkurl = attributes.checkurl>
<cfelse>
<cfset checkurl = "yes">
</cfif>
<cfif isdefined("attributes.checkcookie")>
<cfset checkcookie = attributes.checkcookie>
<cfelse>
<cfset checkcookie = "yes">
</cfif>
<cfif isdefined("attributes.checkclient")>
<cfset checkclient = attributes.checkclient>
<cfelse>
<cfset checkclient = "yes">
</cfif>
<cfif isdefined("attributes.checksession") >
<cfset checksession = attributes.checksession>
<cfelse>
<cfset checksession = "yes">
</cfif>
<!--- now start checking each collection/list/group of variables --->
<cfif checkfield EQ "yes">
<cfif IsDefined("FORM.fieldnames")>
<!--- loop through all the formfields --->
<cfloop index="curItem" list="#FORM.fieldnames#">
<cfif (FindNoCase("%", #evaluate(curItem)#) GT 0) OR
(FindNoCase("<", #evaluate(curItem)#) GT 0) OR
(FindNoCase(">", #evaluate(curItem)#) GT 0) OR
(FindNoCase("[", #evaluate(curItem)#) GT 0) OR
(FindNoCase("]", #evaluate(curItem)#) GT 0) OR
(FindNoCase("{", #evaluate(curItem)#) GT 0) OR
(FindNoCase("}", #evaluate(curItem)#) GT 0) >
<cfset theMess = "The form field<b>" & HtmlEditFormat(#curItem#) & " = " &
htmleditformat(evaluate(#curItem#)) & "</b> contains an invalid character.">
<cfthrow message= #theMess#>
</cfif>
</cfloop>
</cfif>
</cfif>
<cfif checkurl EQ "yes">
<cfif parameterexists(CGI.QUERY_STRING)>
<!--- loop through the URL variables --->
<cfloop list="#CGI.QUERY_STRING#" index="curItem" delimiters="&">
<cfif (FindNoCase("%", #curItem#) GT 0) OR
(FindNoCase("<", #curItem#) GT 0) OR
(FindNoCase(">", #curItem#) GT 0) OR
(FindNoCase("[", #curItem#) GT 0) OR
(FindNoCase("]", #curItem#) GT 0) OR
(FindNoCase("{", #curItem#) GT 0) OR
(FindNoCase("}", #curItem#) GT 0) >
<cfset theMess = "The URL parameter<b>" & htmlEditFormat(#curItem#) &
"</b> contains an illegal string.">
<cfthrow message= #theMess#>
</cfif>
</cfloop>
</cfif>
</cfif>
<cfif checkcookie EQ "yes">
<cfif isdefined("http_cookie")>
<!--- loop through the cookies --->
<cfloop list="#http_cookie#" index="curItem" delimiters=";">
<cfif (FindNoCase("%", #curItem#) GT 0) OR
(FindNoCase("<", #curItem#) GT 0) OR
(FindNoCase(">", #curItem#) GT 0) OR
(FindNoCase("[", #curItem#) GT 0) OR
(FindNoCase("]", #curItem#) GT 0) OR
(FindNoCase("{", #curItem#) GT 0) OR
(FindNoCase("}", #curItem#) GT 0) >
<cfset theMess = "The cookie variable<b>" & htmlEditFormat(#curItem#) &
"</b> contains an invalid character.">
<cfthrow message = #theMess#>
</cfif>
</cfloop>
</cfif>
</cfif>
<cfif checksession EQ "yes">
<cfif not structIsEmpty("#session#")>
<!--- loop through the session variables, remember session variables are a struct --->
<cfloop collection="#session#" item="curItem">
<cfif (FindNoCase("%", #session[curItem]#) GT 0) OR
(FindNoCase("<", #session[curItem]#) GT 0) OR
(FindNoCase(">", #session[curItem]#) GT 0) OR
(FindNoCase("[", #session[curItem]#) GT 0) OR
(FindNoCase("]", #session[curItem]#) GT 0) OR
(FindNoCase("{", #session[curItem]#) GT 0) OR
(FindNoCase("}", #session[curItem]#) GT 0) >
<cfset theMess = "The session variable<b>" & htmleditformat(#curItem#) &
" = " & htmlEditFormat(#session[curItem]#) & "</b> contains an invalid characters.">
<cfthrow message= #theMess#>
</cfif>
</cfloop>
</cfif>
</cfif>
<cfif checkclient EQ "yes">
<cfif isdefined("client.cfid")>
<!--- loop through all the client variables, for this we have an easy to use function
getclientvariableslist --->
<CFLOOP INDEX="curItem" LIST="#GetClientVariablesList()#">
<cfif (FindNoCase("%", #evaluate(curItem)#) GT 0) OR
(FindNoCase("<", #evaluate(curItem)#) GT 0) OR
(FindNoCase(">", #evaluate(curItem)#) GT 0) OR
(FindNoCase("[", #evaluate(curItem)#) GT 0) OR
(FindNoCase("]", #evaluate(curItem)#) GT 0) OR
(FindNoCase("{", #evaluate(curItem)#) GT 0) OR
(FindNoCase("}", #evaluate(curItem)#) GT 0) >
<cfset theMess = "The client variable<b>" & htmleditformat(#curItem#) &
" = " & htmlEditFormat(#evaluate(curItem)#) & "</b> contains an invalid characters.">
<cfthrow message= #theMess#>
</cfif>
</cfloop>
</cfif>
</cfif>