XSS Additional Protection

This is a snippet of code from one of my applications. It’s not a stop-all, but it’s a good start.

//XSS protection
   whiteListReserved = "!|*|'|(|)|;|:|@|&|=|+|$|,|/|?|%|##|[|]";
   whiteListUnreserved = "A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|0|1|2|3|4|5|6|7|8|9|-|_|.|~";
   whiteList = listappend(whiteListReserved,whiteListUnreserved,"|");
   qString = URLDecode(cgi.query_string);

   for(i=1;i lte Len(qString);i++){
    /*
    Get the character at the given index. The ColdFusion Mid() function takes the string, the starting index
    and the number of characters to return. In this case, we only want one character, so the length is one.
    */
    strChar = Mid(qString, i, 1 );
    if (listFind(whiteList,strChar,"|") eq 0){
     writeOutput("<script type='text/javascript'>alert('#strChar# is in violation of xss rules.');</script>");
     //Here I have a session variable that I toggle based on a user being authenticated. not super relevant to this posting.
     Session.isAuthenticated = 0;
     url.msg = "There is a security violation within your request. Your session has been reset. Please log back in.";
    }
         }
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s