Using AntiSamy with ColdFusion
How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.
Remember that social networking site MySpace? They allow anyone to create profile pages with lots of CSS, and HTML markup. They were concerned about XSS and they had pretty extensive blacklist filters in place to prevent it.
Back to the problem at hand, how to we prevent this sort of thing? One way is to use a Java Library called AntiSamy. AntiSamy uses a XML policy file that defines what HTML tags and attributes are allowed in your application.
Invoking AntiSamy from ColdFusion
AntiSamy requires a couple jar files to run, in order to use the code in a jar file in ColdFusion you need to add the Jar files to your java classpath. Mark Mandel wrote an awesome utility called JavaLoader which allows us to dynamically load jar files, without modifying the java classpath variables, or copying files to particular locations. I am going to use JavaLoader in my example because it makes things very easy.
<cfset policyFile = ExpandPath("./antisamy-slashdot-1.4.1.xml")> <cfset jarArray = [ExpandPath("lib/antisamy-bin.1.4.1.jar"), ExpandPath("lib/antisamy-required-libs/batik-css.jar"), ExpandPath("lib/antisamy-required-libs/batik-util.jar"), ExpandPath("lib/antisamy-required-libs/nekohtml.jar"), ExpandPath("lib/antisamy-required-libs/xercesImpl.jar")]> <!--- using Java Loader to avoid adding jar files to classpath ---> <cfset classLoader = CreateObject("component", "lib.javaloader.JavaLoader").init(jarArray)> <cfset antiSamy = classLoader.create("org.owasp.validator.html.AntiSamy").init()> <cfset cleanResults = antiSamy.scan(form.html, policyFile)> <cfoutput> <h3>AntiSamy Result:</h3> #cleanResults.getCleanHTML()# </cfoutput>
Download complete working version - Includes all Jar files, JavaLoader (Requires CF8+ due to array notation, could be modified to work on CF7)
Using AntiSamy in ColdFusion is actually quite simple, you just need to create an instance of the Java object
org.owasp.validator.html.AntiSamy and then invoke the
scan(htmlContent, policyFileLocation) method. It returns a
CleanResults object which has a bunch of nifty methods, such as
getCleanHTML() which returns sanitized HTML based on your policy.
Using AntiSamy with ESAPI
Another great Java security API is the OWASP Enterprise Security API (ESAPI), it actually makes use of AntiSamy under the hood as well. One example is in the
ESAPI.validatior().isValidSafeHTML(htmlContent) method. I recommend you checkout ESAPI for it's collection of Encoders to protect you against XSS (for outputting variables that should not contain HTML). See my Writing Secure CFML presentation slides from CFUnited 2010 for more on ESAPI.
Like this? Follow me ↯Tweet Follow @pfreitag
You might also like:
- ColdFusion's Builtin Enterprise Security API - March 17, 2011
- HashDOS and ColdFusion - December 30, 2011
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- Fixinator and Foundeo Security Bundle - May 14, 2019
- Updating Java on ColdFusion or Lucee - March 21, 2019
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151 - October 19, 2017
- Java 9 Security Enhancements - September 21, 2017
@Brook - Yes you can configure exceptions in the xml antisami config file.
@Sami - Sorry, I didn't choose the name :) - The difference between using something like this, and portcullis or fuseguard to protect against XSS attacks is that something like AntiSami can give you much better protection, Portcullis and Fuseguard rely on input filtering to find XSS, which isn't going to cover as many cases. Ideally you should have both types of protections in place.
If you have the ability to run .NET there is a .NET version of antisamy as well. There is also a Microsoft library called AntiXSS that you can also look into.