ColdFusion 2016 added a handy enhancement to make writing secure CFML code easier for developers. This enhancement helps developers protect large chunks of code from a security vulnerability known as Cross Site Scripting or XSS.

What is Cross Site Scripting?

A cross site scripting vulnerability allows the attacker to execute client side code on the victim’s browser. In many cases the cross site scripting vulnerability can be used to exploit additional vulnerabilities or even leverage browser vulnerabilities to install malware on the victims computer. For more information about Cross Site Scripting please read the OWASP XSS guide.

What does Cross Site Scripting Look Like in CFML?

Quite simply, anytime you output a variable from an untrusted source it could be vulnerable to XSS. Here is an example outputting the variable url.name (which comes from an untrusted source, the url query string):

<cfoutput>
    Hello #url.name#!
</cfoutput>

The above code is vulnerable to XSS because the variable url.name could have any value (for example javascript code). Any variable that comes from user input (the entire HTTP request, including headers) should be protected. This includes values you may already have stored in your database that were previously entered by users.

How do you fix Cross Site Scripting in CFML?

ColdFusion 10 introduced serval functions designed for safely outputting untrusted variables. For example the encodeForHTML function will escape characters such as < and turn it into &lt; for safe output. So to fix the vulnerable example you would simply do this:

<cfoutput>
    Hello #encodeForHTML(url.name)#!
</cfoutput>

There are other encoding functions that you can use besides encodeForHTML depending on where you are output a variable, for example: encodeForHTMLAttribute is used when you are outputting inside of an attribute on a HTML tag.

ColdFusion 2016 Enhancement

So having the encodeForHTML and other related functions builtin is a great benefit for writing secure CFML, however it can be tedious to go through all your code and wrap each variable with encodeForHTML. Starting with ColdFusion 2016 there is a new attribute on the cfoutput tag called encodeFor, you use it like this:

<cfoutput encodeFor="html">
    Hello #url.name#!
</cfoutput>

Now every CFML variable inside the cfoutput tag is automatically wrapped with encodeForHTML! This can save a lot of time if you have a large cfoutput block with lots of variables to protect.

Written by Pete Freitag,
Pete is the owner of Foundeo Inc. a consulting and products company focused on ColdFusion, with an expertise in ColdFusion Security. He has written several publications including the ColdFusion Lockdown Guides, and the ColdFusion Developer Security Guide. Pete teaches a full day class on Writing Secure CFML, and is a frequent speaker at conferences on the topic of ColdFusion security.