cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

XSS best practices?

Tim2842955474bi
Explorer ,
Aug 21, 2025 Aug 21, 2025

Hi, we are looking into better XSS (Cross-site scripting) prevention.

  • We have the "Enable Global Script" protection checked in CFAdmin
  • We have modified neo-security.xml to include a regex to remove various unwanted tags
  • We have queryparamed all querys
  • We are using getSafeHTML() when needed
  • We are about to go in block mode behind a WAF

 

Does anyone have other recommendations? I couldn't find any recent posts about this in these forums. 

274
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

pete_freitag
Enthusiast , Aug 21, 2025 Aug 21, 2025

Yes, check out the encodeForHTML, and other functions starting with encodeFor. I wrote up a guide to XSS in ColdFusion here which goes into detail.

 

Beyond that - script protect is a trivial protection, I wouldn't rely on it for doing too much - there are many many ways around it.

 

The getSafeHTML function is also a good function, but it is best for cases when you know you have some legitimate HTML in the variable. If you shouldn't have HTML in a variable, (eg: name, phone number, etc) then use en

...
Translate
replies 3 Replies 3
latest latest Jump to latest reply
pete_freitag
Enthusiast ,
Aug 21, 2025 Aug 21, 2025

Yes, check out the encodeForHTML, and other functions starting with encodeFor. I wrote up a guide to XSS in ColdFusion here which goes into detail.

 

Beyond that - script protect is a trivial protection, I wouldn't rely on it for doing too much - there are many many ways around it.

 

The getSafeHTML function is also a good function, but it is best for cases when you know you have some legitimate HTML in the variable. If you shouldn't have HTML in a variable, (eg: name, phone number, etc) then use encodeForHTML instead.


Finally, great job adding cfqueryparam, but that is not going to help you with XSS, but it will help you with SQL Injection.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Tim2842955474bi
Explorer ,
Aug 21, 2025 Aug 21, 2025
In Response To pete_freitag

Thanks for reply, and that guide is very clear! I think there a small typo under the explanation of encodeForHTMLAttribute() though... the example uses encodeForHTML(). I think it's supposed to be encodeForHTMLAttribute().

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
pete_freitag
Enthusiast ,
Aug 21, 2025 Aug 21, 2025
LATEST
In Response To Tim2842955474bi

Thanks Tim - good catch - I have fixed that

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices