Skip to main content
P
pbk-nFjYI4
Participant
November 13, 2010
Answered

Any need to use xmlFormat() if I enable Global Script Protection?

  • November 13, 2010
  • 1 reply
  • 706 views

My site displays a lot of user-supplied data, so I am concerned about XSS attacks.  I have been using xmlFormat() when displaying user input.  What I am wondering is whether enabling Global Script Protection in the CF Admin gives me all the protection that xmlFormat or htmlEditFormat does.  If so, I'd rather check that one box than have to remember to use xmlFormat all the time.  So is Global Script Protection all I really need?

Thanks.

Pete

This topic has been closed for replies.
Correct answer Dave Watts

http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect

http://www.petefreitag.com/item/362.cfm

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

1 reply

D
Community Expert
Dave WattsCommunity Expert
Community Expert
November 13, 2010

The XmlFormat function isn't intended to provide XSS protection. It simply escapes XML metacharacters so that you can use the values containing those characters within an XML document. So, that's not a good approach.

The Global Script Protection is a nice idea, but it's incomplete - it simply looks for a list of specific terms and excludes them from inputs.

So, in conclusion, I recommend that you use HtmlEditFormat.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Dave Watts, Eidolon LLC
P
pbk-nFjYI4Author
Participant
November 13, 2010

Dave: Thanks for your explanation.  I see that Adobe's CF documentation seems to imply that Global Script Protection (I'll call it GSP) is just as good as htlmeditformat in terms of protection against XSS.  Here is what Adobe says:

"This function [htmlEditFormat] can be used to help protect ColdFusion pages that return user-provided data to the client browser from cross-site scripting attacks. However, the scripprotect attribute of the cfapplication tag or the equivalent This.scriptProtect variable setting in Application.cfc can be preferable in most instances, because you only need to specify it once for an application."

You seem to be saying that there are cases where GSP will not protect against certain types of XSS attack, while htmlEditFormat will.  Would you have an example?

Pete

D
Community Expert
Dave WattsCommunity ExpertCorrect answer
Community Expert
November 13, 2010

http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect

http://www.petefreitag.com/item/362.cfm

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Dave Watts, Eidolon LLC
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices