I recently posted about a new open source Java project called AntiSamy—which allows you to protect your websites from XSS hacks. I also promised that I'd soon show you some code examples that show you how you can use AntiSamy within ColdFusion.
I've only tested this code under ColdFusion 8. It should theoretically work on any ColdFusion installation, provided you're using a JDK version that supports the compiled version of the AntiSamy code (which is compiled to Java v1.5.)
Before you can actually use AntiSamy, there are a few quick steps you need to make.
AntiSamy is now installed and it's ready for use, but how do we use it?
Initializing an instance of the AntiSamy class is very easy, we just need the line:
There a number of methods that are available, but the main method you'll be concerned with is the scan() method. (For a list of all available methods, you'll want to download the AntiSamy Javadocs file.)
The in our example, we're going to pass in two arguments to the scan() method—the string to scan and the path to the XML policy file:
After running the scan() method the next step is to actually get the "cleaned" results. This will be a string that contains an XSS-free version of the original input.
So now let's put combine all this code into an actual working example. Open up the antisamy.cfm file you created in step 6 with your favorite editor and follow the instructions below.
The first thing we'll need to do is create an HTML string which contains some XSS hacks. The example below contains two very simple examples of XSS hacks. The second XSS example is something that will only work in Internet Explorer. This code doesn't do anything malicious—but it does show off techniques that could be used to do very malicious things.
Now that we have some HTML with some XSS text in it, we can finally get to the good stuff—actually cleaning the code with AntiSamy.
The variable sSafeHtml will contain the cleaned version of the HTML from the sBadInput variable. The next thin we'll want to do is to output the both variables so we can see the changes.
Now save the file and run the code in your browser. If all goes well you should see something that look like:
Cleaned Input using AntiSamy<div style="">Some bad HTML!</div>
As you can see, AntiSamy was able to successfully clean out all of the XSS attacks that were embedded into the HTML.
Next, let's add the following code to your template:
If you save the changes and run your template again, you'll notice that you now will see either 1 or 2 alerts—depending on whether or not you're running Internet Explorer.
If you want to see what errors were actually caught by AntiSamy, the results variable will contain a method called getErrorMessages() which returns an array of all the errors returned from the AntiSamy filter.
While many developers feel like XSS isn't really an issue for them, if you're using any kind of Rich Text Editor on your site (such as FCKEditor, TinyMCE, etc) then your site is at risk for XSS attacks. All it takes is a malicious user to post some raw HTML containing an XSS attack for you to be vulnerable.
As you can see, AntiSamy provides you a very quick way to protect yourself from these XSS attacks and it works great with ColdFusion!