Day 3: Avoid Cross-site scripting (XSS) using ColdFusion 10 – Part 2

Yesterday I have tried to look over three newly added security functions to avoid XSS attach on your website. Today look for remaining functions encodeForCSS, encodeForURL and canonicalize.


As function name says it will encode your string to make safe render in CSS. Normally I do not use dynamic CSS but in certain case you may want to change background color of div based on user input. User input??? Yes and it dangerous too as we are opening again door for XSS attack for hacker. Have a look on sample below.
<cfset mycfvariable = "##ffffff;background:url(;width:200px;height:200px">
border:1px solid;
.mysecurediv {
border:1px solid;
<div class="mydiv">
Test content
<div class="mysecurediv">
Test content
We have coldfusion variable which contains color code of background but some how hacker able to modify value as shown in mycfvariable and add additional  CSS which set background image from another site or just close style tag and add new <script> with malicious script. encodeForCSS will encode user input string to make it safer for CSS and it make sure whatever text encode will use as value of CSS property. 


encodeForURL is almost same as existing function URLEncodedFormat function. Can’t figure out what exactly difference between these two, only one difference I found that encodeForURL use + to encode space instead of %20. (Please put comment if you know any other difference). As per my opinion all these functions added as Encode API has and may be older function will deprecated in future.
[code:cf]<cfset weburl = "">
<a href="http://#encodeForURL(weburl)#">Google</a>

Above code is just for demonstrate to show how we can use it and why we should use it. This will make sure whole variable value considered as URL and cannot be use to add additional attribute on anchor tag.
<cfset weburl = """ onmousemove=""alert(‘hello’)"" style=""position:absolute;z-index:99999;top:0;width:1000;height:1000""">
<a href="http://#weburl#">Google</a>
Just try above code where I have tried to modify weburl variable for XSS attack and haven’t use encodeForURL. Powerful right?


Canonicalize is simply reduce encoded format to it normal/simplest string format. Normally attacker try to insert attacking string in encoded format which work well in targeted format (e.g. for sql inject whole query converted to hex code on use CAST function before executing). It is always advisable to use canoncalize user input before doing any security validation and I think on all user inputs as it will not affect user input otherwise it doesn’t contain some encoded format. Adobe site has very poor documentation for this function, just refer this link for better explanation.

It is easy to build secure site if we use appropriate function at appropriate place and just change our mind set from "It’s Ok, who know that I haven’t use these functions" to "Someone watching that I haven’t use these function". 🙂