Does IsValid() protect from XSS?

Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?

Answers


A valid URL can still contain an attack vector:

<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>

<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>

Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.

Email validation appears to prevent the attacks I could find.

As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.

Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.

And finally to belabor the point, use:

<cfqueryparam cfsqltype="..." value="...">

to protect queries.

Update

Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.


Need Your Help

Tcp server with accept list in C#

c# tcp client server

I have a tcp server/client system , and I just want to accept specific clients, so I create an accept list and check client ip after accept it and then close the connection if it's not in the accept

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.