XSS Additional Protection

This is a snippet of code from one of my applications. It’s not a stop-all, but it’s a good start.

//XSS protection
   whiteListReserved = "!|*|'|(|)|;|:|@|&|=|+|$|,|/|?|%|##|[|]";
   whiteListUnreserved = "A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|0|1|2|3|4|5|6|7|8|9|-|_|.|~";
   whiteList = listappend(whiteListReserved,whiteListUnreserved,"|");
   qString = URLDecode(cgi.query_string);

   for(i=1;i lte Len(qString);i++){
    Get the character at the given index. The ColdFusion Mid() function takes the string, the starting index
    and the number of characters to return. In this case, we only want one character, so the length is one.
    strChar = Mid(qString, i, 1 );
    if (listFind(whiteList,strChar,"|") eq 0){
     writeOutput("<script type='text/javascript'>alert('#strChar# is in violation of xss rules.');</script>");
     //Here I have a session variable that I toggle based on a user being authenticated. not super relevant to this posting.
     Session.isAuthenticated = 0;
     url.msg = "There is a security violation within your request. Your session has been reset. Please log back in.";

Restarting your Coldfusion Application without restarting ColdFusion

To restart you application place the following line of code in your Application.cfc within the OnRequestStart function.


Now anytime you pass the URL string “restart” your application will restart. Obviously you can use whatever method you chose, but this will point you in the right direction.