Using AntiSamy with ColdFusion

August 05, 2010

How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.

Remember that social networking site MySpace? They allow anyone to create profile pages with lots of CSS, and HTML markup. They were concerned about XSS and they had pretty extensive blacklist filters in place to prevent it.

One clever hacker named Samy figured out a way to embed JavaScript in his MySpace profile page, that would automatically add you as a friend when you viewed his profile. After about 5 hours Samy had roughly 1 million friends! After 6 hours MySpace was shut down for "maintenance"

Back to the problem at hand, how to we prevent this sort of thing? One way is to use a Java Library called AntiSamy. AntiSamy uses a XML policy file that defines what HTML tags and attributes are allowed in your application.

Invoking AntiSamy from ColdFusion

AntiSamy requires a couple jar files to run, in order to use the code in a jar file in ColdFusion you need to add the Jar files to your java classpath. Mark Mandel wrote an awesome utility called JavaLoader which allows us to dynamically load jar files, without modifying the java classpath variables, or copying files to particular locations. I am going to use JavaLoader in my example because it makes things very easy.

<cfset policyFile = ExpandPath("./antisamy-slashdot-1.4.1.xml")>
<cfset jarArray = [ExpandPath("lib/antisamy-bin.1.4.1.jar"), 
	ExpandPath("lib/antisamy-required-libs/batik-css.jar"),
	ExpandPath("lib/antisamy-required-libs/batik-util.jar"),
	ExpandPath("lib/antisamy-required-libs/nekohtml.jar"),
	ExpandPath("lib/antisamy-required-libs/xercesImpl.jar")]>
<!--- using Java Loader to avoid adding jar files to classpath --->
<cfset classLoader = CreateObject("component", "lib.javaloader.JavaLoader").init(jarArray)>
<cfset antiSamy = classLoader.create("org.owasp.validator.html.AntiSamy").init()>
<cfset cleanResults = antiSamy.scan(form.html, policyFile)>
	
<cfoutput>
	<h3>AntiSamy Result:</h3>
	#cleanResults.getCleanHTML()#
</cfoutput>

Download complete working version - Includes all Jar files, JavaLoader (Requires CF8+ due to array notation, could be modified to work on CF7)

Using AntiSamy in ColdFusion is actually quite simple, you just need to create an instance of the Java object org.owasp.validator.html.AntiSamy and then invoke the scan(htmlContent, policyFileLocation) method. It returns a CleanResults object which has a bunch of nifty methods, such as getCleanHTML() which returns sanitized HTML based on your policy.

Using AntiSamy with ESAPI

Another great Java security API is the OWASP Enterprise Security API (ESAPI), it actually makes use of AntiSamy under the hood as well. One example is in the ESAPI.validatior().isValidSafeHTML(htmlContent) method. I recommend you checkout ESAPI for it's collection of Encoders to protect you against XSS (for outputting variables that should not contain HTML). See my Writing Secure CFML presentation slides from CFUnited 2010 for more on ESAPI.

Permalink | Add Comment |

add to del.icio.us | Tags: antisamy, coldfusion, security, java, esapi, owasp, xss

Related Entries

ColdFusion's Builtin Enterprise Security API - March 17, 2011
HashDOS and ColdFusion - December 31, 2011
Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
Announcing Web Application Firewall for ColdFusion - July 9, 2007
HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011

2 people found this page useful, what do you think?

Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 760/404E3AC5BBE65F1C594C20129DB08574

Comments

On 08/05/2010 at 5:31:19 PM EDT Brook wrote:

Thanks Pete! Can antiSammy live in the application scope safely?

On 08/05/2010 at 5:43:21 PM EDT Pete Freitag wrote:

@Brook that's a good question, I looked at the source code for the AntiSamy object, when you call scan(html, policyFileName) it does not use any instance variables so it should be thread safe to put in the application scope. If you go that way, you can also create a org.owasp.validator.html.Policy object and call antisamy.setPolicy(policyObj) just once, then just run antisamy.scan(html).

On 08/05/2010 at 6:27:53 PM EDT Sami Hoda wrote:

I take exception to you defaming this way. Just kidding. Nice work - I didn't think it would be this easy. I wonder how this compares to Portcullis which also works with XSS attacks.

On 08/05/2010 at 8:35:57 PM EDT Brook wrote:

Cool, I am going to try it tonight/tomorrow. I've been looking for something to sanitize user input for a while. Is it possible to allow exceptions? For example, I want users to be able to embed google tracking/script code, but not there own scripts..

On 08/05/2010 at 10:19:20 PM EDT denny wrote:

Seen this?

http://code.google.com/p/owasp-esapi-coldfusion/

On 08/16/2010 at 12:07:32 PM EDT Pete Freitag wrote:

@Denny - Yes I've seen the ColdFusion ESAPI project, it doesn't seem to be active, and is really just a wrapper for the Java Code from what I have seen.

@Brook - Yes you can configure exceptions in the xml antisami config file.

@Sami - Sorry, I didn't choose the name :) - The difference between using something like this, and portcullis or fuseguard to protect against XSS attacks is that something like AntiSami can give you much better protection, Portcullis and Fuseguard rely on input filtering to find XSS, which isn't going to cover as many cases. Ideally you should have both types of protections in place.

On 08/19/2010 at 4:40:53 PM EDT Dmitriy wrote:

What is the performance like if you have 10-15 form fields.

On 08/20/2010 at 11:46:39 AM EDT Anonymous wrote:

Can antisamy be implemented with classic asp on windows 2003 server with IIS as web server?

Please suggest if you have any idea.

On 08/20/2010 at 1:44:32 PM EDT Pete Freitag wrote:

@Anonymous - The Java version of AntiSamy can't be used on ASP classic on Windows 2003. You need to install something that runs Java, and have your ASP page invoke it.

If you have the ability to run .NET there is a .NET version of antisamy as well. There is also a Microsoft library called AntiXSS that you can also look into.

On 08/21/2010 at 10:09:22 AM EDT Anonymous wrote:

Thanks Pete for your thoughts :)

Invoking java from asp page is one option .There is no ability to run .NET.

The requirement is to accept and render markup code provided by user so MS AntiXSS library wont be useful

On 11/30/2010 at 11:07:46 AM EST Jason wrote:

Thanks for example. I am having a difficult time making it work with inline CSS and in between HTML Style Tags. Do you have any examples of using it with CSS in that way? I have reviewed the documentation and I am not clear on what I need to do. Thanks

On 05/19/2011 at 12:19:49 AM EDT James Eisenlohr wrote:

Pete, great article!

Could you please provide an example of how to use Antisamy that was included in the latest CF security update? I am confused about how to find set the policy...where are they located?

On 05/19/2011 at 12:37:15 PM EDT Pete Freitag wrote:

@James - The AntiSamy jars are only included in CF8, and I don't know if all the dependencies are included, so for that reason I would recommend using javaloader.

On 05/19/2011 at 2:21:46 PM EDT James Eisenlohr wrote:

@PeteFreitag - Thank you! I actually got it to work with CF9... not using the OWASP ESAPI. I had to include the following jar files in my WEB-INF/lib directory: batik-css.jar, batick-ext.jar, batik-util.jar, nekohtml.jar and xercesImpl.jar.

Followed tutorial here: http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks