ColdFusion's Builtin Enterprise Security API
One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.
This means that it’s now very very easy to leverage this powerful security API from within your ColdFusion code.
Here’s a quick example of how you might use the ESAPI encoder to prevent cross site scripting:
<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")> <cfset esapiEncoder = esapi.encoder()> <cfoutput><p>Hello #esapiEncoder.encodeForHTML(url.name)#</p></cfoutput>
The Encoder class has methods for encoding all kinds of input so they can be safely used in various contexts. Here’s a listing some handy encoders:
- encodeForHTMLAttribute - used for encoding a string inside of a HTML attribute.
- encodeForURL - used for encoding inside of a url, eg: in a href
- encodeForCSS - used for encoding variable inside of CSS (eg inline style attributes)
- encodeForXML - encoding variables inside XML
- encodeForXPath - encode variables in an XPath query
What else can ESAPI do?
ESAPI also provides helpers for Validation, Encryption, Logging, Randomization, and more. Checkout the docs to see what it can do.
ESAPI Java Documentation
Like this? Follow me ↯Tweet Follow @pfreitag
ColdFusion's Builtin Enterprise Security API was first published on March 17, 2011.
If you like reading about coldfusion, security, api, esapi, or owasp then you might also like:
- Using AntiSamy with ColdFusion
- ColdFusion 2020 Developer Week - Securing CF
- Fixinator and Foundeo Security Bundle
- ColdFusion returning empty response with server-error: true
- CFSummit 2016 Slides
- Scope Injection in CFML
- New HackMyCF Features
- J2EE Sessions in CF10 Uses Secure Cookies
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.