CFLib.org – Common Function Library Project

isXss(field)

Last updated February 22, 2011

Version: 1 | Requires: ColdFusion 8 | Library: SecurityLib

 
Rated 0 time(s). Average Rating: 0

Description:
Checks against all the possible combinations of the character "<" in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result. This can prove useful in passing PCI compliance automated scanning.

Return Values:
Returns a boolean.

Example:

view plain print about
<cfparam name="hasSecurityError" default="false">

<form method="POST">
    <input type="text" name="foo">
    <input type="text" name="who">
    <input type="submit">
</form>

<cfif structKeyExists(form, "fieldnames")>
    
    <cfloop list="#form.fieldNames#" index="i">
        
        <cfif isXss(form[i])>
            <cfset hasSecurityError = true>
            <cfbreak>
        </cfif>
    </cfloop>
</cfif>

<cfdump var="#hasSecurityError#">

Parameters:

Name Description Required
field String to check. Yes

Full UDF Source:

view plain print about
<!---
 Checks against all the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result.
 
 @param field      String to check. (Required)
 @return Returns a boolean. 
 @author MIchael Bramwell (mbramwell@gmail.com) 
 @version 1, February 22, 2011 
--->

<cffunction name="isXss" hint="" access="public" returntype="boolean">
    <cfargument name="field" type="string" required="yes" />
    
    <cfset var bReturn = false />
    <cfset var encodingsOfLessThan = "<
%3C
&lt
&lt;
&LT
&LT;
&##
&##60
&##060
&##0060
&##00060
&##000060
&##0000060
&##60;
&##060;
&##0060;
&##00060;
&##000060;    
&##0000060;
&##x3c
&##x03c
&##x003c
&##x0003c
&##x00003c
&##x000003c
&##x3c;
&##x03c;
&##x003c;
&##x0003c;
&##x00003c;
&##x000003c;
&##X3c
&##X03c
&##X003c
&##X0003c
&##X00003c
&##X000003c
&##X3c;
&##X03c;
&##X003c;
&##X0003c;
&##X00003c;
&##X000003c;
&##x3C
&##x03C
&##x003C
&##x0003C
&##x00003C
&##x000003C
&##x3C;
&##x03C;
&##x003C;
&##x0003C;
&##x00003C;
&##x000003C;
&##X3C
&##X03C
&##X003C
&##X0003C
&##X00003C
&##X000003C
&##X3C;
&##X03C;
&##X003C;
&##X0003C;
&##X00003C;
&##X000003C;
\x3c
\x3C
\u003c
\u003C"
>

    
    <cfloop list="#encodingsOfLessThan#" index="i" delimiters="#chr(10)#">
        
        <cfif Find(i, arguments.field)>
            <cfset bReturn = true >
        </cfif>
    </cfloop>
    
    <cfreturn bReturn />
    
</cffunction>
blog comments powered by Disqus

Search CFLib.org


Latest Additions

Adam Cameron Adam Cameron added
createPrimeNumbe...
15 day(s) ago

Ray Ford Ray Ford added
timeZoneNow
29 day(s) ago

Henry Ho Henry Ho added
queryExecute
a while ago

Rick Root Rick Root added
deleteDirectory
a while ago

Top Rated

Darwan Leonardo Sitepu backupDatabase
Rated 5.0, 48 time(s)

Barney Boisvert indentXml
Rated 5.0, 12 time(s)

Rachel Lehman deAccent
Rated 5.0, 9 time(s)

Darwan Leonardo Sitepu splitNumber
Rated 5.0, 8 time(s)

Created by Raymond Camden / Design by Justin Johnson