Google Analytics <InvalidTag> CFQuery

Report · Sep 30, 2011

We're having a problem saving Google Analytics tags to our MySQL database using ColdFusion. The system has worked for about a year, and now the Analytics tag is changing as it is saved from <script type="text/javascript"> to <InvalidTag type="text/javascript">. The invalid tag causes the raw code of the Google code to be visible on our web pages. It is a problem for 11 of our 30 sites.

Here's an example Analytics tag:

var _gaq = _gaq || [];

_gaq.push(['_setAccount', 'UA-18376273-1']);

_gaq.push(['_trackPageview']);

(function() {

var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;

ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

})();

</script>

And here's an example of a query that saves the code:

UPDATE `NewScience`.`explore3`

SET `email` = '#Trim(email)#',

`google` = '#Trim(google)#',

`faceurl` = '#Trim(faceurl)#',

`fbon` = '#Trim(fbon)#'

WHERE `explore3`.`ID` = #SESSION.Auth.ID# LIMIT 1 ;

</CFQUERY>

Report · Sep 30, 2011

Someone has either enabled this.ScriptProtect=true into your Application.cfc, or it has been turned on at the server level.

Report · Sep 30, 2011

I coded the site and didn't include the code you have above, so it's probably enabled on the server. Is this a security measure to protect the server against malicious scripts? What should I ask the host to do to correct it? Any specific terms you can provide would be great because this is the first I've heard of it. Thanks!

Report · Sep 30, 2011

Indeed, it's there as a bodge-tastic way of quickly protecting from people posting script to your server. It's nasty and unconfigurable and (IMO) shouldn't really be used.

CF Admin | Settings | Enable Global Script Protection - uncheck the box.

Report · Sep 30, 2011

Actually, it is configurable

Add <cfset this.scriptprotect = "none" /> to your Application.cfc to disable it.

Report · Sep 30, 2011

Okay, perhaps I should have been more clear - it may be possible to disable it but that's not exactly what I'd call configurable. I mean that it's an on or off solution, you cannot decide how or when it censors your postdata.

Report · Sep 30, 2011

That's not entirely true either. You can confugre which scopes it "protects" and you can modify how it does it in a config file. http://www.12robots.com/index.cfm/2008/9/9/Enhancing-ColdFusion-Script-Protection--Security-Series-1...

Not that that helps users on shared hosting. But users on shared hosting clearly don't give a crap about security anyway.

Report · Sep 30, 2011

Thanks, guys. I just added scriptprotect="none" to my <CFAPPLICATION> tag and now it works. The only people who access the CMS application I built are franchisees who are part of our company, so I'm not too concerned about malicious scripts.

Report · Sep 30, 2011

You should be anyway. Concerned about malicious scripts that is. People are idiots and you never know what they'll do. But using scriptprotect to mitigate XSS is not the right way to handle it, so disabling is fine. You should make sure that you are properly encoding user-generated input and such.

Report · Sep 30, 2011

What do you recommend?

Report · Sep 30, 2011

What I just said. Encode user-generated output before it is displayed on screen.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

In ColdFusion, unless you install ESAPI, your best bet is to use xmlFormat for anything placed within an HTML block or an HTML attribute.

If you are allowing your end users to enter HTML then you have a whole different hot mess to deal with.

If you are putting user input into JavaScript blocks or CSS, then you'll need ESAPI to properly encode it.

Security is hard.