Search code examples
coldfusioncoldfusion-9

scriptProtect ColdFusion 9

I am trying to learn how to use scriptProtect but I was wondering if there is also something else that I need to do in order to secure my application as much as possible. Also, is scriptProtect acting as HTMLEditFormat or is it something completely separate?

And finally my application is under another application ex: example.com/myapp/index.cfm I suppose that I have to add the scriptProtect under the main application.cfc of example.com correct? And if so, should I expect errors due to this tag from the main app? Should I write a component that extends and the application.cfc and add the scriptProtect in there instead?

Solution

  • Henry has you on the right track. You definitely cannot solely rely on the scriptProtect functionality. However I think it is okay to use it in conjunction with other validation methods. And, for what its worth, there is a global setting in the ColdFusion administrator that enables scriptProtect for all applications running under that instance. It is named "Enable Global Script Protection" in the administrator and can be found under the Settings menu.

    The scriptProtect setting is completely different than the HTMLEditFormat and EncodeForXXXX() functions. I just wanted to point out that the scriptProtect and/or "Global Script Protection" rules can be customized. That setting works by applying a regular expression that is defined in the cf_root/lib/neo-security.xml file in the server configuration, or the cf_root/WEB-INF/cfusion/lib/neo-security.xml file in the JEE configuration to the variable value. You can customize the patterns that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns variable.

    The default regular expression is defined as:

    <var name='CrossSiteScriptPatterns'>
    <struct type='coldfusion.server.ConfigMap'>
        <var name='&lt;\s*(object|embed|script|applet|meta)'>
            <string>&lt;InvalidTag</string>
        </var>
    </struct>
</var>

    Which means, by default, the Global Script Protection mechanism is only looking for strings containing <object or <embed or <script or <applet or <meta in the FORM, URL, CGI, and COOKIE scopes and replacing them with <InvalidTag. You can enhance that regular expression to look for more cases and/or change the replacement string if you want.

    See Protecting variables from cross-site scripting attacks section on this page