Coldbox Code Injection

Does Coldbox in its framework prevent CodeInjection? Not SQL Injection
just plain old CodeInjection, javascript,etc.

Yes, actually we use the antisamy project in the core as we know this
is critical.

You will find it as a core plugin: Antisamy

You can use the predefined policies or create your own

do you have an example on how this is accomplished?

It is on the docs in the wiki under plugins. The plugin only has one method. Super easy

Has the create your own been fixed yet?

Andrew Scott

Luis is it here?

I do not see AntiSamy there...


Scroll down to the plugins section

Andrew Scott

That did it thanks!!!

You may also (depending on the scale of your project and sensitivity/risk) want to look at OWASP which can be implemented via Java and offers protection specific to the context the user-provided data will be rendered in.

Jason Dean gave a great presentation on this topic at Adobe MAX which is now available our site:


The good stuff starts about 12 min into the video.

AntiSamy is an OWASP project Aaron :slight_smile:

Luis F. Majano
Ortus Solutions, Corp

ColdBox Platform:
Linked In:
IECFUG Manager:

Sorry. I should have been more specific. Thanks.

I was referring to their Enterprise solution ESAPI. Here is more information.