ColdFusion doing OWASP esapi via Java

南笙酒味 提交于 2021-01-27 22:40:56

问题


I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016.

application.cfc

  local.esapi = createObject("java", "org.owasp.esapi.ESAPI");
  application.esapiEncoder = local.esapi.encoder()

Much later

Regular page

  form.Reason = application.esapiEncoder.encodeForHtml(form.Reason);

I am thinking of replacing this with

  form.Reason = encodeForHTML(form.Reason);

Do these function the same?


回答1:


Yes, the encodeForX() functions use OWASP's ESAPI behind the scenes. encodeForHTML() is CF10+ and has a canonicalize argument, which takes the input down to its lowest factor. CF2016 added an encodeFor argument to a cfoutput tag for outputting that does similar. There's also the canonicalize() function that will throw an error that you can catch. That's useful for seeing if someone is trying to throw nefarious inputs at your form or site. I can't think of a legit reason for double- or multi-encoding an input, and I would interpret such as an attack. The argument in the encodeForX() function will take it down to its base evaluation, but it doesn't throw an error and just returns the resulting output. Personally, I'm not sure that there's much of an accidental way to pass a value that would be picked up by canonicalization, and I'd simply rather catch that attempt and kick that user off of my site.

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/encodeforhtml.html

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html

https://www.owasp.org/index.php/Category:Encoding



来源:https://stackoverflow.com/questions/53198996/coldfusion-doing-owasp-esapi-via-java

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!