CFLib.org – Common Function Library Project

isXss(field)

Last updated February 22, 2011

Version: 1 | Requires: ColdFusion 8 | Library: SecurityLib

 
Rated 0 time(s). Average Rating: 0

Description:
Checks against all the possible combinations of the character "<" in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result. This can prove useful in passing PCI compliance automated scanning.

Return Values:
Returns a boolean.

Example:

view plain print about
<cfparam name="hasSecurityError" default="false">

<form method="POST">
    <input type="text" name="foo">
    <input type="text" name="who">
    <input type="submit">
</form>

<cfif structKeyExists(form, "fieldnames")>
    
    <cfloop list="#form.fieldNames#" index="i">
        
        <cfif isXss(form[i])>
            <cfset hasSecurityError = true>
            <cfbreak>
        </cfif>
    </cfloop>
</cfif>

<cfdump var="#hasSecurityError#">

Parameters:

Name Description Required
field String to check. Yes

Full UDF Source:

view plain print about
<!---
 Checks against all the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result.
 
 @param field      String to check. (Required)
 @return Returns a boolean. 
 @author MIchael Bramwell (mbramwell@gmail.com) 
 @version 1, February 22, 2011 
--->

<cffunction name="isXss" hint="" access="public" returntype="boolean">
    <cfargument name="field" type="string" required="yes" />
    
    <cfset var bReturn = false />
    <cfset var encodingsOfLessThan = "<
%3C
&lt
&lt;
&LT
&LT;
&##
&##60
&##060
&##0060
&##00060
&##000060
&##0000060
&##60;
&##060;
&##0060;
&##00060;
&##000060;    
&##0000060;
&##x3c
&##x03c
&##x003c
&##x0003c
&##x00003c
&##x000003c
&##x3c;
&##x03c;
&##x003c;
&##x0003c;
&##x00003c;
&##x000003c;
&##X3c
&##X03c
&##X003c
&##X0003c
&##X00003c
&##X000003c
&##X3c;
&##X03c;
&##X003c;
&##X0003c;
&##X00003c;
&##X000003c;
&##x3C
&##x03C
&##x003C
&##x0003C
&##x00003C
&##x000003C
&##x3C;
&##x03C;
&##x003C;
&##x0003C;
&##x00003C;
&##x000003C;
&##X3C
&##X03C
&##X003C
&##X0003C
&##X00003C
&##X000003C
&##X3C;
&##X03C;
&##X003C;
&##X0003C;
&##X00003C;
&##X000003C;
\x3c
\x3C
\u003c
\u003C"
>

    
    <cfloop list="#encodingsOfLessThan#" index="i" delimiters="#chr(10)#">
        
        <cfif Find(i, arguments.field)>
            <cfset bReturn = true >
        </cfif>
    </cfloop>
    
    <cfreturn bReturn />
    
</cffunction>
blog comments powered by Disqus

Search CFLib.org


Latest Additions

Adam Cameron Adam Cameron added
createPrimeNumbe...
7 day(s) ago

Ray Ford Ray Ford added
timeZoneNow
22 day(s) ago

Henry Ho Henry Ho added
queryExecute
a while ago

Rick Root Rick Root added
deleteDirectory
a while ago

Top Rated

Darwan Leonardo Sitepu backupDatabase
Rated 5.0, 48 time(s)

Barney Boisvert indentXml
Rated 5.0, 12 time(s)

Rachel Lehman deAccent
Rated 5.0, 9 time(s)

Darwan Leonardo Sitepu splitNumber
Rated 5.0, 8 time(s)

Created by Raymond Camden / Design by Justin Johnson