isSafeHTML

Checks a HTML string against antisamy policy file to determine if it may be vulnerable to XSS / Cross Site Scripting.

isSafeHTML(inputString [, PolicyFile]) → returns Boolean

This function requires Adobe ColdFusion 11 and up. Not supported on Lucee, OpenBD, etc.

isSafeHTML Argument Reference

inputString
Required

String to be validated

PolicyFile

File path for custom antisamy policy file. Can be defined in the application scope or if not defined will use Coldfusion server default

Links more information about isSafeHTML

Examples sample code invoking the isSafeHTML function


Unsafe HTML Example

Example with HTML that causes isSafeHTML to return false.

<cfsavecontent variable="html">
    <div onmouseover=alert(1)>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: no


Safe HTML Example

Example with HTML that is safe on the default policy.

<cfsavecontent variable="html">
    <a href="https://foundeo.com/" title="ColdFusion Consulting &amp; Security">Foundeo Inc.</a>
</cfsavecontent>
<cfoutput>#isSafeHTML(html)#</cfoutput>

Expected Result: yes


Fork me on GitHub