You schooled me on using vars in my cfc to help ratchet up the security. If I used the following code in my cfc that processes my contact form, do you feel like the data would be cleansed and relatively benign? I'm also using cfparams in the page with the form and validating it with jQuery and/or CF server side code (for non Java visitors) as well.Awesome question - and to be honest - my initial response going to be sure - that's good enough. But I knew there was a bit more to it. I decided to hit up Pete Freitag. As far as I'm concerned Pete is the leading expert in the area of ColdFusion and security. He had a great response to this that I think makes it very clear that htmlEditFormat may not be enough.
<cfargument name="email" type="string" required="yes">
<cfargument name="fullname" type="string" required="yes">
<cfset var elements = structNew()>
<cfset elements.email = htmlEditFormat(trim(arguments.email))>
<cfset elements.fullname = htmlEditFormat(trim(arguments.fullname))>
The answer is, it depends. It depends on where the variables are outputted. There are 5 different places the variable could be output on a web page, and each has different encoding methods that are required.
HTML Body: <p>#elements.email#</p>
HTML Attribute <a href="mailto:#elements.email#">...</a>
CSS: <div style="color:#url.color#" />
URL: <a href="page.cfm?email=#elements.email#">...</a>
See Slides 56-61 in my presentation Writing Secure CFML: http://www.petefreitag.com/item/759.cfm
So HTMLEditFormat is only considered safe in the HTML Body, in other contexts such as the HTML Attribute it may allow for XSS (depending on the quotes of the attribute, and how strict the browser is about quotes), keep in mind the HTMLEditFormat doesn't escape single quotes so if you have <div id='#HTMLEditFormat(url.id)#'> you can simply pass in ?id=1'+onmouseover='badStuff();'
The ESAPI is a really good way to encode variables to handle all the contexts (mentioned in my slides).
Excellent response, Pete. As I said, I had an inkling to what the issue was but he spelled it out perfectly. I think most of us consider the HTML Body context, but not the other ones. Handling this then requires a very firm understanding of how your data is actually used.