MG 3.2 Feature Sneak Peak - Input Sanitization

I wanted to get some information about the 3.2 release. Security is all the rage these days, what with all the Cross Site Scripting and SQL Injection attacks. As Model-Glue is your front controller, it would be the natural place to do some protection.

John Mason wrote Portcullis, a library that handles scanning for XSS, SQL Injection and other important security input scanning features. I've just implemented it in a branch of Model-Glue and I'm thinking through how best to make it configurable in your applications. First, let's talk about what Portcullis/MG does.


Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner. ( )


Say I have code allowing someone to upload profile description. If the user adds an image tag with javascript inside,this javascript will be executed in the browser context of any person viewing the profile. You can see an example below.

This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.

In this case, an alert will pop up, but we really are executing java script and can use many different attack vectors. Portcullis will scan the input and sanitize this.

Form Text: This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.
Post Portcullis: This is my profile.. &lt;IMG SRC="[INVALID]alert&##40;&##39;XSS&##39;&##41;&##59;"&gt;, isn't it nice.

So, you can see, Portcullis detected some sketchy input, sanitized it, and now it is rendered harmless when displayed in the browser.

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[1] ( )


This is a common one, even gaining it's own comic ( Basically, the attacker tries to shove in some SQL into an input. Portcullis scans and sanitizes these sorts of attacks also.

a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

In this case, the user has crafted a special string so that when the input value is used in an SQL statement, several statements are sent to the database.

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE 't' = 't';

When Portcullis gets something like this, it sanitizes the dangerous input.

a';[Invalid] TABLE users; [Invalid] * FROM data WHERE 't' = 't

None of this will execute in an SQL engine, because it is no longer valid SQL. It is best practice to use CFQueryparam to help prevent SQL Injection, but Portcullis can help out too. Especially in cases where CFQueryparam isn't consistently applied.


So you can see there is a lot of value in using something like Portcullis to consistently protect and sanitize your inputs. What I've done is incorporate the project into Model-Glue and make it easy to use. Basically, if you want to protect everything, then you should be able to flip a switch in your ColdSpring.xml file. This will be good for some sites, and help out in a big way. However, we want to make sure we are adding maximum value and giving you, the Model-Glue users, the ability to use this in a flexible, and useful manner.

I'd like to see discussion on how this feature might be used, how folks would want to use it and any gotchas or pitfalls that you can see. Please use the comments, or the MG Mailing List for your questions and concerns.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
What happens if I ask you to drop me a line if you need any help? (since the word "drop" seems dangerous)
# Posted By Steve Bryant | 11/24/09 1:41 PM
It probably isn't going to like that at all. It won't like this either:

Select a time to drop me a line for our update on the project.

Gets scanned into:

[Invalid] a time to [Invalid] me a line for our [Invalid] on the project.
# Posted By Dan Wilson | 11/24/09 1:47 PM
and what about messages :
insert me in your newletter archive?
delete me from your newsletter archive?
# Posted By salvatore fusto | 11/25/09 2:07 AM
excuse me:
insert me into.....
# Posted By salvatore fusto | 11/25/09 2:08 AM
For XSS, I use this function in the onRequestStart method in Application.cfc and it works great:

<cffunction name="sanitizeXSS" access="private" output="false" returntype="void">
         var key = "";
         for (key in URL)
            URL[key] = HTMLEditFormat(URL[key]);
         for (key in FORM)
            FORM[key] = HTMLEditFormat(FORM[key]);
# Posted By Joel Tobey | 11/25/09 9:39 AM
© 2021 Joe Rinehart
BlogCFC was created by Raymond Camden. This blog is running version