I've created a form (in ColdFusion) that submits a value into a database, and afterwards shows the inserted value. The problem is that when a user, or hacker inserts a HTML tag or javascript tag, ColdFusion will also show that as an output value.
I know that there are ways to filter the special characters on submit with CFset, but i don't want to use that method. So not anything like this:
<cfset cleanmessage = ReReplace(getmessages.message, "[^\w]*", "", "ALL")>
Is there any other method to only filter the special characters (<@#!$%^*(&>) when showing the output?
You should do these two things (at least) to sanitize user input:
<cfqueryparam ... >. This prevents SQL injection attacks by escaping special SQL characters and sequences.HTMLEditFormat(). This prevents various client-side vulnerabilities by escaping special HTML characters. If you'd like to take your security a step further, Portcullis looks like a great solution (I haven't used it myself though).
Regarding the use of <cfset ... >: You can use functions like HTMLEditFormat() without using cfset. Instead of creating a new variable to store the result of the function, just display the result as you call the function, like so: <cfoutput>#HTMLEditFormat(data)#</cfoutput>