coldfusioncoldfusion-9cfmlcanonicalization

Canonicalize alternative for CF9


I have an application running on CF2016. We recently added Canonicalize() and some other functions to prevent xss attacks. Most of the clients using this app are on CF2016 but couple of them are at CF9 (will be upgraded next year or so) Code fails because there is no such function in CF9. There are many ways to handle it, but if I have to go to write a custom Canonicalize function, how I can encode the input with native CF9 functions?


Solution

  • I ask a question that works in the opposite direction a while back. See: ColdFusion doing OWASP esapi via Java

    Canonicalization is done via OWASP ESAPI. First you create a java object. It has all of the encoding functions

    local.esapi = createObject("java", "org.owasp.esapi.ESAPI");
    application.esapiEncoder = local.esapi.encoder();
    

    Later you can

    myVariable = application.esapiEncoder.canonicalize(myVariable);
    

    For a complete list of all the functions that come with org.owasp.ESAPI.encoder(), see: https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html