Skip to main content
WolfShade
WolfShade
Legend
September 3, 2015
Answered

Portcullis CFC breaking AJaX submitted form

  • September 3, 2015
  • 1 reply
  • 940 views

Hello, all,

Is anyone else, here, using the Portcullis CFC??

I've got a form that is submitting via AJaX, and as long as I have JavaScript stripping out malicious code, it works great.  But if I disable the client-side validation/sanitization and allow Portcullis to detect malicious code, Portcullis is set to redirect to the root index page if it detects anything.  (I have further server-side validation/sanitization, in case JS is disabled.)

Since my form is submitted via AJaX and uses output to display error/success messages to the DOM, Portcullis is loading the main page as the content to display within the DOM of the form page!!

I do NOT have the option of disabling or otherwise skirting using Portcullis.  I've tried modifying the Application.cfc to check the cgi.http_referer - if a particular page is the referrer, don't redirect. It's redirecting, anyway.

Any solutions to this without disabling Portcullis?

V/r,

^_^

This topic has been closed for replies.
Correct answer James Moberg

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

    JSOUP - How to get list of disallowed tags found in html?

    http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

1 reply

James Moberg
James Moberg
Inspiring
September 3, 2015

Are you testing FORM or URL variables (or both)?  Are you dumping (or emailing) the failed form/URL parameters so you can determine what may be triggering it?  What type of redirect are you performing?  (I'm returning a 403 error instead of redirecting.)

WolfShade
WolfShadeAuthor
Legend
September 4, 2015

Hi, Jamo‌,

I am testing both form and URL scopes.  If anything is found, it doesn't email or anything, it just redirects to the /index.cfm page.

I know _what_ is triggering it - I'm testing by placing HTML tags and HTML entities into a textarea.  But I need to figure a way to get it to display an error message if triggered by a specific cgi.http_referer.  In the Application.cfc, there is a line:

<cfif session.redirect eq 1>


    <cflocation url="/" addtoken="no" />


</cfif>

I modified this to:

<cfif session.redirect eq 1>


    <cfif trim(cgi.http_referer) eq "formpage.cfm">


        Please correct the following: blah blah blah <cfabort>


    <cfelse>


        <cflocation url="/" addtoken="no" />


    </cfif>


</cfif>

.. but the root index page still appears within the DOM of the form page.

V/r,

^_^

James Moberg
James MobergCorrect answer
Inspiring
September 4, 2015

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

    JSOUP - How to get list of disallowed tags found in html?

    http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices