CFLib.org – Common Function Library Project

isXss(field)

Last updated February 23, 2011

author

MIchael Bramwell

Version: 1 | Requires: CF8 | Library: SecurityLib

Description:
Checks against all the possible combinations of the character "<" in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result. This can prove useful in passing PCI compliance automated scanning.

Return Values:
Returns a boolean.

Example:

<cfparam name="hasSecurityError" default="false">

<form method="POST">
    <input type="text" name="foo">
    <input type="text" name="who">
    <input type="submit">
</form>

<cfif structKeyExists(form, "fieldnames")>
    
    <cfloop list="#form.fieldNames#" index="i">
        
        <cfif isXss(form[i])>
            <cfset hasSecurityError = true>
            <cfbreak>
        </cfif>
    </cfloop>
</cfif>

<cfdump var="#hasSecurityError#">

Parameters:

Name Description Required
field String to check. Yes

Full UDF Source: 

<!---
 Checks against all the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result.
 
 @param field      String to check. (Required)
 @return Returns a boolean. 
 @author MIchael Bramwell (mbramwell@gmail.com) 
 @version 1, February 22, 2011 
--->
<cffunction name="isXss" hint="" access="public" returntype="boolean">
    <cfargument name="field" type="string" required="yes" />
    
    <cfset var bReturn = false />
    <cfset var encodingsOfLessThan = "<
%3C
&lt
&lt;
&LT
&LT;
&##
&##60
&##060
&##0060
&##00060
&##000060
&##0000060
&##60;
&##060;
&##0060;
&##00060;
&##000060;    
&##0000060;
&##x3c
&##x03c
&##x003c
&##x0003c
&##x00003c
&##x000003c
&##x3c;
&##x03c;
&##x003c;
&##x0003c;
&##x00003c;
&##x000003c;
&##X3c
&##X03c
&##X003c
&##X0003c
&##X00003c
&##X000003c
&##X3c;
&##X03c;
&##X003c;
&##X0003c;
&##X00003c;
&##X000003c;
&##x3C
&##x03C
&##x003C
&##x0003C
&##x00003C
&##x000003C
&##x3C;
&##x03C;
&##x003C;
&##x0003C;
&##x00003C;
&##x000003C;
&##X3C
&##X03C
&##X003C
&##X0003C
&##X00003C
&##X000003C
&##X3C;
&##X03C;
&##X003C;
&##X0003C;
&##X00003C;
&##X000003C;
\x3c
\x3C
\u003c
\u003C">
    
    <cfloop list="#encodingsOfLessThan#" index="i" delimiters="#chr(10)#">
        
        <cfif Find(i, arguments.field)>
            <cfset bReturn = true >
        </cfif>
    </cfloop>
    
    <cfreturn bReturn />
    
</cffunction>

Search CFLib.org


Latest Additions

Raymond Camden added
QueryDeleteRows
November 04, 2017

Leigh added
nullPad
May 11, 2016

Raymond Camden added
stripHTML
May 10, 2016

Kevin Cotton added
date2ExcelDate
May 05, 2016

Raymond Camden added
CapFirst
April 25, 2016

Created by Raymond Camden / Design by Justin Johnson

Copyright 2018, All Rights Reserved
Submit A UDF | RSS