Does IsValid() protect from XSS?

Question

Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?

Answer 1

A valid URL can still contain an attack vector:

<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>

<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>

Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.

Email validation appears to prevent the attacks I could find.

As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.

Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.

And finally to belabor the point, use:

<cfqueryparam cfsqltype="..." value="...">

to protect queries.

Update

Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.