isSafeHTML

Checks a HTML string against antisamy policy file to determine if it may be vulnerable to XSS / Cross Site Scripting.

isSafeHTML(inputString [, PolicyFile]) → returns Boolean

This function requires Adobe ColdFusion 11 and up. Not supported on Lucee, OpenBD, etc.

Argument Reference for the isSafeHTML function

inputString

Required: Yes
String to be validated

PolicyFile

Required: No
File path for custom antisamy policy file. Can be defined in the application scope or if not defined will use Coldfusion server default

Links more information about isSafeHTML

Examples sample code invoking the isSafeHTML function


Unsafe HTML Example

Example with HTML that causes isSafeHTML to return false.

<cfsavecontent variable="html">
    <div onmouseover=alert(1)>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: no


Safe HTML Example

Example with HTML that is safe on the default policy.

<cfsavecontent variable="html">
    <a href="https://foundeo.com/" title="ColdFusion Consulting &amp; Security">Foundeo Inc.</a>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: yes


Fork me on GitHub