isSafeHTML

Checks a HTML string against antisamy policy file to determine if it may be vulnerable to XSS / Cross Site Scripting.

isSafeHTML(inputString [, PolicyFile]) → returns boolean

This function requires Adobe ColdFusion 11 and up.  Not supported on Lucee, etc.

Argument Reference

inputString string
Required

String to be validated

PolicyFile string

File path for custom AntiSamy policy file. Can be defined in the application scope or if not defined will use ColdFusion server default

Links more information about isSafeHTML

Examples
Sample code invoking the isSafeHTML function

Example with HTML that causes isSafeHTML to return false.

<cfsavecontent variable="html">
    <div onmouseover=alert(1)>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: no

Example with HTML that is safe on the default policy.

<cfsavecontent variable="html">
    <a href="https://foundeo.com/" title="ColdFusion Consulting &amp; Security">Foundeo Inc.</a>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: yes

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub