HTML breaking in iframe src -

-

We have a Coldfusion application with many legacy codes and many new codes when the inheritance code is provided which is now So, we display it in an iframe. However, a security scan of our software has reported the issue of breaking a few pages when you include html in the URL.

Bringing example URLs: https://mySite.com/coldfusionPage.cfm?layout= true & amp; 67c26 "> bb6cb = 1

When iframe renders it, it breaks because the URLs and quotes of the URL end to the iframe tag , And the rest of the Url and iframe tags are sung in the form of html on the page.

If you are adding that paragraph without scrubbing, it is for malicious content, then your scanner company is correct, you are open for any links that your page You do not want to pass things through the URL, which is then inserted into the URL. Think about an iframe. If you have a link like this Is: 

  href = "https://mySite.com/myPage.cfm?include=someIframPage.cfm

and after that you" Get page of your IFrame put in the page "cfm", someone can come with it and just some other page there May trade - and can send emails to fish for your site.

You need to make sure that a URL has been passed that has been correctly named. Only a few things that you get should be anywhere, and it can be used anywhere before the HTML Is cleared.

Note:

I noticed that you have said that iframe page as an absolute - then you your missing templates In the example of inserting an unsafe HTML on the page through the handler or in the example of your colleague's code scan, they have the true & amp; 67c26 "& gt; & lt; a & gt; bb6cb = 1 to allow unsafe HTML on the page as defined HTML, you ding - as they should - if I choose: 

  https://mySite.com/coldfusionPage.cfm?layout=true&67c26 "& gt; & Lt; Iframe src = "http://www.mysiteurl.com/ Somemaliciouscode.php" & gt; BB6 CB = 1

... my "specially encoded" URL as the ultimate? Can I then embed an iframe on my page? Anything that allows users to inject html on the page is actually a security risk User Input (URL parameters, form parameters, cookies) should be scrutinized and tested before being used. This is the easiest way to protect your page, sorry - but I think your scan company has found it right and I've seen tons of the scan report :)


Comments

Post a Comment

Popular posts from this blog

winforms - C# Form - Property Change -

-
I have a form that has a property named car A class with many properties. The Properties is being displayed on the current car on the basis of some user actions that are being displayed. So I have to know whether the property has been allocated or set to zero. I'm aware of INotifyPropertyChanged , but in my case I'm not sure that since this change I have changed my car properties car do not want to monitor the property. Any idea how to accomplish this? In advance thank you If you have created a true asset in your class then You should be a great and setter, you can add the code directly to the form property in order to take action on the basis of "form": Public partial category Form 1: form {public form 1 () {InitializeComponent (); } // define car square public class car {public string name = string. Empty; } // private car to keep the value of the current car private variable _car = null; // Property of public form which you can ru...
Read more

javascript - amcharts makechart not working -

-
I am trying to create an amiratars serial chart on my Durandal single page application. This chart was working fine on Chrome browser but it is not working on IE. Can you please help me in this regard. Error while using Amcharts. The Macchart () method does not support the object in this object in IE.
Read more

java - Algorithm negotiation fail SSH in Jenkins -

-
I am trying to do SSH on the local server from Jenkins, but the following error has been thrown: [SSH] Exception: Algorithm negotiation fail com.jcraft.jsch.JSchException: algorithm talk com.jcraft.jsch.Session.receive_kexinit (Session.javaatar20) at com.jcraft.jsch.Session.connect (Sesson at com.jcraft.jsch.Session.connect (Session.java:150) at org.jvnet.hudson.plugins.SSHSite.createSession (SSHSite.java:141) on failed failed org.jvnet.hudson.plugins. java: 286) .SSHS on org.jvnet.hudson.plugins.SSHBuildWrapper.executePreBuildScript (SSHBuildWrapper.java:75) on Org.jvnet.hudson.plugins.SSHBuildWrapper.setUp (SSHBuildWrapper.java59) ite.executeCommand (SSHSite.java151) on hudson.model.Build $ BuildExecution.doRun hudson.model.AbstractBuild $ AbstractBuildExecution.run (AbstractBuild.java:533) to (Build.java:154) hudson.model.Run.execute ( Run.java:1754) in ended .model.FreeStyleBuild.run (FreeStyl hudson.model.ResourceController.execute (ResourceController.java:89) on hudson.mod...
Read more