Farcry ESAPI and XSS

Hi Guys,
Just though it would be nice to know a bit more about the level of cross site scripting protection there is with Farcry out of the box. I see there is a lot of reference to

application.fc.lib.esapi.encodeForHTMLAttribute()

Are all fields in a content type (even custom content) protected this way?
Cheers
Phil

1 Like

Core uses the “ESAPI” lib (application.fc.lib.esapi) internally, mostly so that we can provide compatibility across ACF 9.x+ and Railo 3.2+ without requiring the use of version specific built-in functions. Any time Core outputs something in a response that needs to be encoded then it should do so (e.g. particularly forms, so anything related to ft:form, ft:object, etc), so if you use those Core tags yourself you should be ok in those instances.

In your own project(s) code you are responsible for whatever you output directly / outside of using Core features. So if you’re outputting URL and Form variables in a page you should use the appropriate built-in encoding functions that your engine supports, or you could potentially use Core’s ESAPI lib if you need cross-engine compatibility (particularly for a plugin that you want to distribute).

As for “fields in content types”, whatever you allow into the DB will also be returned in an stObj or other struct representing a custom content type. Again, if you are outputting something using ft:form / ft:object then you should be covered, but if you are outputting something yourself that has come from a user then you should always use the appropriate encoding method at the point of output.

cheers,
Justin

1 Like

Hi Justin,
That’s good to know and thanks for clearing that up.
Also, just spotted that if esapi isn’t supported (ie cf8) application.fc.lib.esapi defaults to using cf built in functions like htmlEditFormat, jsStringFormat etc. … good thinking :slight_smile:
Cheers
Phil

Yeah, it’s about the “best” fallback we could do for older engines (back in 6.2.x) :slight_smile:

As of FarCry Core 7.x we no longer support CF8 anyway, and I’d definitely recommend anyone still on CF8 to upgrade to something newer ASAP!

My fc6.x versions are all 6.2.10 which doesn’t have the esapi library at all. Looks like it was introduced in 6.2.11. Which makes me wonder, would that be a feature or a patch :wink:

At the time they were security patches for what was the current release, but you could call it a feature too from the perspective of the ESAPI lib that we implemented (definitely useful for cross-engine/backwards-compatibility plugins) :smile: