CFLib.org – Common Function Library Project

isXss(field)

Last updated February 22, 2011

author

MIchael Bramwell

Version: 1 | Requires: CF8 | Library: SecurityLib

Description:
Checks against all the possible combinations of the character "<" in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result. This can prove useful in passing PCI compliance automated scanning.

Return Values:
Returns a boolean.

Example:

<cfparam name="hasSecurityError" default="false">

<form method="POST">
	<input type="text" name="foo">
	<input type="text" name="who">
	<input type="submit">
</form>

<cfif structKeyExists(form, "fieldnames")>
	
	<cfloop list="#form.fieldNames#" index="i">
		
		<cfif isXss(form[i])>
			<cfset hasSecurityError = true>
			<cfbreak>
		</cfif>
	</cfloop>
</cfif>

<cfdump var="#hasSecurityError#">

Parameters:

Name Description Required
field String to check. Yes

Full UDF Source:

<!---
 Checks against all the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript (in UTF-8) and returns a boolean value based on the result.
 
 @param field 	 String to check. (Required)
 @return Returns a boolean. 
 @author MIchael Bramwell (mbramwell@gmail.com) 
 @version 1, February 22, 2011 
--->
<cffunction name="isXss" hint="" access="public" returntype="boolean">
	<cfargument name="field" type="string" required="yes" />
	
	<cfset var bReturn = false />
	<cfset var encodingsOfLessThan = "<
%3C
&lt
&lt;
&LT
&LT;
&##
&##60
&##060
&##0060
&##00060
&##000060
&##0000060
&##60;
&##060;
&##0060;
&##00060;
&##000060;	
&##0000060;
&##x3c
&##x03c
&##x003c
&##x0003c
&##x00003c
&##x000003c
&##x3c;
&##x03c;
&##x003c;
&##x0003c;
&##x00003c;
&##x000003c;
&##X3c
&##X03c
&##X003c
&##X0003c
&##X00003c
&##X000003c
&##X3c;
&##X03c;
&##X003c;
&##X0003c;
&##X00003c;
&##X000003c;
&##x3C
&##x03C
&##x003C
&##x0003C
&##x00003C
&##x000003C
&##x3C;
&##x03C;
&##x003C;
&##x0003C;
&##x00003C;
&##x000003C;
&##X3C
&##X03C
&##X003C
&##X0003C
&##X00003C
&##X000003C
&##X3C;
&##X03C;
&##X003C;
&##X0003C;
&##X00003C;
&##X000003C;
\x3c
\x3C
\u003c
\u003C">
	
	<cfloop list="#encodingsOfLessThan#" index="i" delimiters="#chr(10)#">
		
		<cfif Find(i, arguments.field)>
			<cfset bReturn = true >
		</cfif>
	</cfloop>
	
	<cfreturn bReturn />
	
</cffunction>
blog comments powered by Disqus

Search CFLib.org


Latest Additions

Raymond Camden added
CapFirst
April 25, 2016

Chris Wigginton added
loremIpsum
January 18, 2016

Gary Stanton added
calculateArrival...
November 19, 2015

Sebastiaan Naafs - van Dijk added
getDaysInQuarter
November 13, 2015

Simon Bingham added
convertSecondsTo...
April 15, 2015

Created by Raymond Camden / Design by Justin Johnson