XSS Additional Protection

This is a snippet of code from one of my applications. It’s not a stop-all, but it’s a good start.

//XSS protection
   whiteListReserved = "!|*|'|(|)|;|:|@|&|=|+|$|,|/|?|%|##|[|]";
   whiteListUnreserved = "A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|0|1|2|3|4|5|6|7|8|9|-|_|.|~";
   whiteList = listappend(whiteListReserved,whiteListUnreserved,"|");
   qString = URLDecode(cgi.query_string);

   for(i=1;i lte Len(qString);i++){
    Get the character at the given index. The ColdFusion Mid() function takes the string, the starting index
    and the number of characters to return. In this case, we only want one character, so the length is one.
    strChar = Mid(qString, i, 1 );
    if (listFind(whiteList,strChar,"|") eq 0){
     writeOutput("<script type='text/javascript'>alert('#strChar# is in violation of xss rules.');</script>");
     //Here I have a session variable that I toggle based on a user being authenticated. not super relevant to this posting.
     Session.isAuthenticated = 0;
     url.msg = "There is a security violation within your request. Your session has been reset. Please log back in.";

Restarting your Coldfusion Application without restarting ColdFusion

To restart you application place the following line of code in your Application.cfc within the OnRequestStart function.


Now anytime you pass the URL string “restart” your application will restart. Obviously you can use whatever method you chose, but this will point you in the right direction.


So I’ve decided to pay it forward and share some of the things I’ve collected and learned along the way. I’m not a great writer, but I hope you at least find the topics and banter interesting.  I don’t always know the line by line details to how certain code works, but I do tend to get things done. Along the way you may read some football (Soccer) banter as I am an avid Arsenal fan and grew up loving the beautiful game. Finally my family means everything to me so now and then I may post some personal stuff up here for your entertainment. If you have constructive feedback please feel free to share your opinion, but be considerate and remember we are all people with families, reputations and feelings.