Checks a HTML string against antisamy policy file to determine if it may be vulnerable to XSS / Cross Site Scripting.

isSafeHTML(inputString [, PolicyFile]) → returns boolean

This function requires Adobe ColdFusion 11 and up.  Not supported on Lucee, etc.

Argument Reference

inputString string

String to be validated

PolicyFile string

File path for custom AntiSamy policy file. Can be defined in the application scope or if not defined will use ColdFusion server default

Links more information about isSafeHTML

Sample code invoking the isSafeHTML function

Example with HTML that causes isSafeHTML to return false.

<cfsavecontent variable="html">
    <div onmouseover=alert(1)>

Expected Result: no

Example with HTML that is safe on the default policy.

<cfsavecontent variable="html">
    <a href="" title="ColdFusion Consulting &amp; Security">Foundeo Inc.</a>

Expected Result: yes

Fork me on GitHub