Does Coldbox in its framework prevent CodeInjection? Not SQL Injection
just plain old CodeInjection, javascript,etc.
Yes, actually we use the antisamy project in the core as we know this
is critical.
You will find it as a core plugin: Antisamy
You can use the predefined policies or create your own
do you have an example on how this is accomplished?
It is on the docs in the wiki under plugins. The plugin only has one method. Super easy
Try
http://wiki.coldbox.org/wiki/Dashboard.cfm
Scroll down to the plugins section
Regards,
Andrew Scott
http://www.andyscott.id.au/
That did it thanks!!!
You may also (depending on the scale of your project and sensitivity/risk) want to look at OWASP which can be implemented via Java and offers protection specific to the context the user-provided data will be rendered in.
Jason Dean gave a great presentation on this topic at Adobe MAX which is now available our site: http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/
Thanks,
The good stuff starts about 12 min into the video.
AntiSamy is an OWASP project Aaron
http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
Luis F. Majano
President
Ortus Solutions, Corp
ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com
Sorry. I should have been more specific. Thanks.
I was referring to their Enterprise solution ESAPI. Here is more information.
- Jason Dean’s slide deck: http://www.12robots.com/enclosures/SecuringColdFusionUhley-Dean.pdf
- General Information: http://www.owasp.org/index.php/Main_Page
- JavaDocs: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html