In this hands on, we are going to add security to the blog comments. As this section allows users to supply data that will be stored in a database and will also be output to other users, this is a weakest point of the application.
Tags Used: <cfif>, <cfset>, <cfthrow>
Functions Used: isSimpleValue, canonicalize, CSRFGenerateToken, CSRFverifyToken, encodeForHTML
- Open up the /www/blogpost.cfm file in your code editor.
- The first thing we are going to do is add some checks to make sure the values in the form are all simple values. Locate the <cfif> statement that checks if the form has been submitted on or around line 3.
-
Inside the <cfif>, prior to creating a new blogcomment entity, create a new if statement that checks if the form.author variable is a simple value. Your code should look similar to this:
<cfif isSimpleValue(form.author)>
</cfif>
-
Once we know the value is a simple value, we need to call the canonicalize() method on the form.author value. To make things easier, assign the result of the canonicalize() call back to the form.author variable. The code will look similar to this:
<cfset form.author = canonicalize(form.author, true, true) />
</li> <li> Do the same for the remaining <span class="code">comment</span> variable. Your final code should look similar to this:<cfif isSimpleValue(form.author)> <cfset form.author = canonicalize(form.author, true, true) /> </cfif> <cfif isSimpleValue(form.comment)> <cfset form.comment = canonicalize(form.comment, true, true) /> </cfif>
</li> <li> Next, check if any of the values were not simple values. If one was not a simple value, it will throw an error. Create a <span class="code"><cfif></span> statement that checks if either are not simple values, and if one isn't, throw an error with the message <span class="code">Validation Error</span>. Your code should look similar to this:<cfif !isSimpleValue(form.author) || !isSimpleValue(form.comment)> <cfthrow message="Validation Error" > </cfif>
</li> <li> Next, we will utilize ColdFusion's CSRF support by generating and validating a CSRF token. Locate the hidden field in the comment form on or around line 99. </li> <li> Create a new hidden field called <span class="code">token</span>, and give it the value:#CSRFGenerateToken()#
</li> <li> Go to the top of the page and create a new <span class="code"><cfparam></span> tag for the <span class="code">form.token</span> variable and default it to empty. </li> <li> Go back to the <span class="code"><cfif></span> statement on or around line 11 which checks if any of the <span class="code">form</span> fields is not a simple value. </li> <li> Inside the <span class="code"><cfif></span> tag, check if the token value passed is a valid CSRF token. If the token is not valid, the same error will be thrown by the validation. Your final code should look similar to this:<cfif !isSimpleValue(form.author) || !isSimpleValue(form.comment) || !CSRFVerifyToken(form.token)> <cfthrow message="Validation Error" > </cfif>
</li> <li> Now that all the data has been checked on input, we now need to validate the data on output. Locate where the comment body is output to the screen on or around line 75. </li> <li> Wrap the <span class="code">#comment.comment#</span> output in an <span class="code">encodeForHTML()</span> call so that the line of code looks similar to this:#encodeForHTML(comment.comment)#
</li> <li> Make the same update for the <span class="code">author</span> output on or around line 72. </li> <li> Open up <span class="code">/www/blog.cfm</span> in your browser and navigate to a blog post. </li> <li> Confirm that the page loads successfully. </li> <li> Post a new comment and confirm that it still saves and outputs to the screen. Your blog now has additional security! Remember, even though it has security, it still not be considered 100% secure. </li>