Better XSS Protection for CFML
- February 1, 2013
- David Epler
So like quite a few others, I have been working with Groovy and Grails much more. I’m not going to go into how much better or more joyful it is to work with than CFML but to take ideas from it and lobby to get them implemented in Adobe ColdFusion and Railo.
The ESAPI encoders are now baked into the language for both Adobe ColdFusion 10 and Railo 4 and can help prevent XSS by using the proper encoder depending upon output context, EncodeForHTML(string) [ACF, Railo] or ESAPIEncode("HTML", string) [Railo] in most cases. It is possible to get the same functionality in older versions using ESAPI4CF or CFBackPort. But the problem is to fully protect against XSS you need to go through all the code in an application that renders output and modify it to use the proper encoder.
CFML Admin API Project
- September 28, 2009
- David Epler
Well, this isn’t exactly a new project. I actually started it back in 2005 when I wrote an Admin API for BlueDragon 6.2 and had a compatibility layer to map cfide.adminapi calls back to the BlueDragon Admin API.
For the past several years the code has been available on various locations. Ultimately, the Admin API for BlueDragon 6.2 that I wrote became the basis for the Open BlueDragon Admin API, but the compatiblity layer was not used. The direction of building a compatibility layer to match ColdFusion MX 7 (or later) didn’t seem to be a sustainable idea, since I’d always have to chase how the ColdFusion Admin API was implemented for calls and returns.
Read More