XSS mitigation in ColdFusion, Part 1: Understanding HTML Contexts - Security Series #8.5.1

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.


Whose responsibility is data security?

This is an important question and one that you need to ask yourself.

Last week this article was released about a faculty researcher at University of North Carolina at Chapel Hill.

The article describes how the University recently found out that a machine that stored 180,000 social security numbers (used for research) was compromised back in 2007. The University is now hanging out the researcher to dry and not claiming any fault of their own. There is no report yet on what is happening with the programmer/system admin that she hired to maintain the system.


Call for speakers - cf.Objective()

Hey, in case you didn't notice, the call for speakers for the super-awesome-fantastic-amazing cf.Objective() conference is now open.

you can submit your proposals here:


Even if you don't submit a proposal, you should definitely come to cf.Objective(). It is best ColdFusion conference there is. And remember that cf.Objective isn't JUST for advanced/enterprise developers. cf.Objective() is also about becoming an advanced/enterprise developer. So even if you feel like cf.Objective() might be over your head, if you're an experienced developer who wants to take the next step in your learning, cf.Objective() is the place for you!

So get on it!

My Presentation Files from the MN Government IT Symposium

Last week I had a great time presenting a couple of topics at the MN Government IT Symposium. Here are the slide decks from my presentations:


Getting your BlackBerry PlayBook development environment set up - Part Three

In this post, we're going to look at setting up FlashBuilder 4 to talk to our BlackBerry PlayBook virtual device. We'll also create our first PlayBook App.

Note, Parts one & two of this series are prerequisites to this part.

Something New

My last two posts were SO LONG, and took a while to load. All of the screen captures and images really annoyed me. So I decided to do this post using Adobe Captivate.


Getting your BlackBerry PlayBook development environment set up - Part Two

I wanted to release this a couple days ago, but I have been battling connectivity problems at home.

In my last BlackBerry PlayBook post we went through what resources we needed and how to get Flash Builder 4 installed and integrated with the BlackBerry PlayBook SDK. Next we'll look at installing the BlackBerry PlayBook simulator.

The simulator is actually a bootable ISO image that is intended to be run inside of a VMWare virtual machine. I am sure there are resources on how to get VMWare Player (Windows) or VMWare Fusion (Mac) installed on your system, so I will not be covering it in this post. Instead, I will assume you already have it installed.


What can I do on different devices? Adobe AIR

So in an effort to figure out what I can do with different devices, I came across this VERY useful document on Adobe's site. It essentially outlines the features of AIR that are not available across platforms and tells us, of those features, which are available where.

For example, I suspected, but did not know that the Encrypted Local Store would not be available on mobile devices (yet?).

If you plan to develop for multiple device profiles (Desktop, Mobile, TV) then you need to take a look at this:


The Winner of the ColdFusion Builder contest and the charity receiving our donation

Last week I ran a contest for Veterans' Day to try to honor those men and women that defend the U.S. and keep it strong.


Getting your BlackBerry PlayBook development environment set up - Part One

I, like many others, am VERY excited about the BlackBerry PlayBook, due out sometime early 2011. One of the reasons I am very excited is that Blackberry has partnered with Adobe to make Adobe AIR one of the easiest ways to start making apps for the PlayBook. I LOVE Adobe AIR and have been using it for almost two years now for developing desktop applications.

So the first question that many new AIR developers might have are:

  1. What do i need to know?
  2. How do I get started?
  3. Where do i get what I need?
  4. What's next?


I feel like giving something away for Veterans' Day

It's been a while since I gave something away. I like to give things away, it makes me feel like I am doing something good for our community and, hopefully, for the receiving person. Today, I also want to do something for our veterans.

To start, I would like to give away a copy of ColdFusion Builder 1.0 (Preferably to someone who does not have it already).

I think ColdFusion Builder is a fantastic product. I use it every day and I love it. I use it at work, I use it at home. I recommend it to everyone. For this giveaway, I'd like to know, briefly, what excites you about ColdFusion Builder. Leave me a comment that tells me one or more of the following:


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner