Highlighted

Is it a best practice to use urlencodedformat() on all URL variables?

Explorer ,
May 12, 2015

Copy link to clipboard

Copied


We are currently using mostly CF11 but still have one production server with CF9.  We run Webinspect and Nessus scans are consistently getting vulnerabilities stating things like blind sql injection, xss, etc.  These are happening on URL variables even with pages that have no sql at all.  My general question is it a best practice to always encase all url variables in the urlencodedformat tag to protect them?  We do have a shop best practice of always using cfqueryparam to protect against other types of sql injection.

Views

222

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Is it a best practice to use urlencodedformat() on all URL variables?

Explorer ,
May 12, 2015

Copy link to clipboard

Copied


We are currently using mostly CF11 but still have one production server with CF9.  We run Webinspect and Nessus scans are consistently getting vulnerabilities stating things like blind sql injection, xss, etc.  These are happening on URL variables even with pages that have no sql at all.  My general question is it a best practice to always encase all url variables in the urlencodedformat tag to protect them?  We do have a shop best practice of always using cfqueryparam to protect against other types of sql injection.

Views

223

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
May 12, 2015 0
Advocate ,
May 12, 2015

Copy link to clipboard

Copied

Yes, for anything that might contain special characters and anything from the client browser. There is also a family of editHTMLFormat functions that should be used for all html tag data (CF11 added several form OWASP recommendations).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 12, 2015 0
ronboy30 LATEST
Explorer ,
May 12, 2015

Copy link to clipboard

Copied


Thanks Steve, I have put it around several of the URL variables on the pages with the findings.  Will run another scan in the next few days and hopefully that will fix it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 12, 2015 0