Skip to main content
T
Tim2842955474bi
Participating Frequently
August 21, 2025
Answered

XSS best practices?

  • August 21, 2025
  • 1 reply
  • 402 views

Hi, we are looking into better XSS (Cross-site scripting) prevention.

  • We have the "Enable Global Script" protection checked in CFAdmin
  • We have modified neo-security.xml to include a regex to remove various unwanted tags
  • We have queryparamed all querys
  • We are using getSafeHTML() when needed
  • We are about to go in block mode behind a WAF

 

Does anyone have other recommendations? I couldn't find any recent posts about this in these forums. 

    Correct answer pete_freitag

    Yes, check out the encodeForHTML, and other functions starting with encodeFor. I wrote up a guide to XSS in ColdFusion here which goes into detail.

     

    Beyond that - script protect is a trivial protection, I wouldn't rely on it for doing too much - there are many many ways around it.

     

    The getSafeHTML function is also a good function, but it is best for cases when you know you have some legitimate HTML in the variable. If you shouldn't have HTML in a variable, (eg: name, phone number, etc) then use encodeForHTML instead.


    Finally, great job adding cfqueryparam, but that is not going to help you with XSS, but it will help you with SQL Injection.

    1 reply

    pete_freitag
    pete_freitagCorrect answer
    Participating Frequently
    August 21, 2025

    Yes, check out the encodeForHTML, and other functions starting with encodeFor. I wrote up a guide to XSS in ColdFusion here which goes into detail.

     

    Beyond that - script protect is a trivial protection, I wouldn't rely on it for doing too much - there are many many ways around it.

     

    The getSafeHTML function is also a good function, but it is best for cases when you know you have some legitimate HTML in the variable. If you shouldn't have HTML in a variable, (eg: name, phone number, etc) then use encodeForHTML instead.


    Finally, great job adding cfqueryparam, but that is not going to help you with XSS, but it will help you with SQL Injection.

      T
      Tim2842955474biAuthor
      Participating Frequently
      August 21, 2025

      Thanks for reply, and that guide is very clear! I think there a small typo under the explanation of encodeForHTMLAttribute() though... the example uses encodeForHTML(). I think it's supposed to be encodeForHTMLAttribute().

      pete_freitag
      pete_freitag
      Participating Frequently
      August 21, 2025

      Thanks Tim - good catch - I have fixed that

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices