Raymond Camden's Blog Rss

Where the heck is InvalidTag coming from?

23

Posted in ColdFusion | Posted on 01-05-2007 | 7,062 views

I've gotten this question many times so I thought I'd write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things.

Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

This is a feature that helps prevent cross-site scripting attacks. Personally I don't use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:

Settings Page

So - raise your hand if you've seen this and had no idea what it was!

Comments

[Add Comment] [Subscribe to Comments]

Mike Nimer said on 01-05-2007 at 10:39 PM #
And the string "invalidTag" is defined in the neo-security.xml as well as the regex pattern used to check for scripting hacks.

<code>
<var name="CrossSiteScriptPatterns">
            <struct type="coldfusion.server.ConfigMap">
               <var name="&lt;\s*(object|embed|script|applet|meta)">
                     <string>&lt;InvalidTag</string>
               </var>
            </struct>
         </var>
</code>
DK said on 01-06-2007 at 7:37 AM #
theres currently a secunia vulnerability listed for the cross site scripting feature as well. It was entered on 12 Dec 06 and is said to allow you to get around the feature.

http://secunia.com/advisories/23281/
Stefan said on 01-06-2007 at 5:53 PM #
Might this be what the latest hotfix (2006-11-30) fixes?
"64586    Hot fix to resolve a possible cross-site scripting (XSS) vulnerability in ColdFusion's handling of forms."
http://www.adobe.com/cfusion/knowledgebase/index.c...
Ryan Everhart said on 01-08-2007 at 10:49 AM #
Ray,
Thanks for the post, I've been having this issue on my codeShare site (http://codeshare.everfro.com, shameless plug). When users submit code with JS in it the script tag gets replaced with InvalidTag. Hopefully this will help me with my issue.

Ryan
Hari said on 05-21-2007 at 2:40 PM #
Thanks for the post, it helped me to resolve the <InvalidTag issue that I faced.
Brandon said on 06-03-2008 at 1:47 PM #
Is there any way to get around this? I am working on a site that is on a shared server, and they have enabled it in the cf administrator (and won't allow it to be overridden in Application.cfc). The client needs to be able to embed flash and object files, as well as edit meta tags, but those are all rendered "invalid".
Raymond Camden said on 06-03-2008 at 3:33 PM #
What do they mean they won't allow you? They will kick you off the server? Nothing in CF prevents you from turning it off in App.cfc.

Unfortunately I think you are out of luck. I'd change hosts.
ColdFusion developer said on 06-07-2008 at 5:22 AM #
Hi guys - I have a workaround for the problem you're mentioning.

<a href="http://www.beetrootstreet.com/blog/index.cfm/2008/...;

It basically uses onRequestEnd.cfm to re-write the SCRIPT tags. It can also be adapted to work in an Application.cfc environment.

Hope it helps.

Martin
ColdFusion developer said on 06-07-2008 at 5:22 AM #
Seems the URL didn't insert properly. Try again..

http://www.beetrootstreet.com/blog/index.cfm/2008/...

Martin
Russ said on 09-28-2009 at 8:58 AM #
for some reason disabling it in the application.cfm doesn't work, you have to disable it in the cfadmin.
Raymond Camden said on 09-28-2009 at 9:01 AM #
I believe you are wrong Russ. The CFAPP can always overrule the CF Admin. I'd check again.
Russ said on 09-28-2009 at 9:35 AM #
My blogcfc has and always has had scriptrotect="none" in the cfapplication, it makes no difference, only disabling script protection in the cfadmin solves the problem. I will humor your telling me to check again and post the code here for you.

<cfapplication name="#prefix#_blog_#blogname#" sessionManagement="true" loginStorage="session" scriptprotect="none">
Raymond Camden said on 09-28-2009 at 9:38 AM #
Is caching turned on in the CF Admin? I mean trusted cache.
TimD said on 02-11-2010 at 6:54 PM #
Thank you Thank you. I was stumped where this was coming from.
ThutMose said on 03-03-2010 at 1:27 PM #
Ray,
I've run into the same issue that Russ did. Going to do some further testing, but with global script protect on the override in the cfapplication doesn't seem to get picked up or its not allowed. A little odd. I believe blogCFC comes out of the box that way. I've cleared the template cache just to be sure but the issue persists.
Raymond Camden said on 03-03-2010 at 1:29 PM #
That seems odd. I've never seen the template get overridden by the server setting before. Please let me know what you find.
Frank Gerritse said on 05-03-2010 at 8:39 AM #
Hi Raymond.

I have the same problem with this page http://www.4sixsix.nl/page.cfm/Filmpjes
See the source of this page. I have put scriptprotect="false" in the application file but nothing happen.
I have e-mail the support desk of hostek.com to see if there is something changed on the server.
This happend after an update of this page last week. Before that the youtube movies are show correct on the page ?
Raymond Camden said on 05-04-2010 at 3:43 PM #
Sorry for the delay. Not sure what to tell you. Can you show me the code (ie, where you put in script protect). Also check to ensure your host doesn't have trusted cache turned on.
anonymous said on 07-06-2010 at 7:42 PM #
Maybe help some folks who have been having trouble...

Depending on your version, the string "False" may NOT equivalent to the boolean operator False. The string "No", however, IS equivalent.

Trying writing:
scriptProtect = false

OR:
scriptProtect = "No"

Do not write:
scriptProtect = "false"

That might solve some of the problems for some of the people out there.
Bill said on 02-08-2011 at 6:50 AM #
I'd like to have the script protection on, but it messes up the HTML Editor in the CMS for my site. Any recommendations?
Raymond Camden said on 02-08-2011 at 6:59 AM #
Since you can only turn it off and on at the Application or server level, you are out of luck. You would need to do the protection manually.
Bill said on 02-08-2011 at 7:19 AM #
Ah - I thought so. I don't suppose you have a handy 'how-to' posted somewhere do you? :-) Thanks.
Raymond Camden said on 02-08-2011 at 9:55 AM #
Perhaps: http://portcullis.riaforge.org/

[Add Comment] [Subscribe to Comments]