ColdFusion's Builtin Enterprise Security API
One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.
This means that it?s now very very easy to leverage this powerful security API from within your ColdFusion code.
Here?s a quick example of how you might use the ESAPI encoder to prevent cross site scripting:
<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")> <cfset esapiEncoder = esapi.encoder()> <cfoutput><p>Hello #esapiEncoder.encodeForHTML(url.name)#</p></cfoutput>
The Encoder class has methods for encoding all kinds of input so they can be safely used in various contexts. Here?s a listing some handy encoders:
- encodeForHTMLAttribute - used for encoding a string inside of a HTML attribute.
- encodeForURL - used for encoding inside of a url, eg: in a href
- encodeForCSS - used for encoding variable inside of CSS (eg inline style attributes)
- encodeForXML - encoding variables inside XML
- encodeForXPath - encode variables in an XPath query
What else can ESAPI do?
ESAPI also provides helpers for Validation, Encryption, Logging, Randomization, and more. Checkout the docs to see what it can do.
ESAPI Java Documentation
Like this? Follow me ↯Tweet Follow @pfreitag
ColdFusion's Builtin Enterprise Security API was first published on March 17, 2011.
If you like reading about coldfusion, security, api, esapi, or owasp then you might also like:
- Using AntiSamy with ColdFusion
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
- Ways to suppress a finding in Fixinator
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.