Raymond Camden's ColdFusion Blog: Where the heck is InvalidTag coming from?

Where the heck is InvalidTag coming from?

I've gotten this question many times so I thought I'd write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things.

Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

This is a feature that helps prevent cross-site scripting attacks. Personally I don't use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:

Settings Page

So - raise your hand if you've seen this and had no idea what it was!

This entry was posted on Friday, January 5, 2007 at 6:44 PM. It was filed in the following categories: ColdFusion. It has been viewed 4,472 times and has 16 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

Comment 1 written by Mike Nimer on 5 January 2007, at 10:39 PM

And the string "invalidTag" is defined in the neo-security.xml as well as the regex pattern used to check for scripting hacks.

<code>
<var name="CrossSiteScriptPatterns">
            <struct type="coldfusion.server.ConfigMap">
               <var name="<\s*(object|embed|script|applet|meta)">
                     <string><InvalidTag</string>
               </var>
            </struct>
         </var>
</code>
Comment 2 written by DK on 6 January 2007, at 7:37 AM

theres currently a secunia vulnerability listed for the cross site scripting feature as well. It was entered on 12 Dec 06 and is said to allow you to get around the feature.

http://secunia.com/advisories/23281/
Comment 3 written by Stefan on 6 January 2007, at 5:53 PM

Might this be what the latest hotfix (2006-11-30) fixes?
"64586 Hot fix to resolve a possible cross-site scripting (XSS) vulnerability in ColdFusion's handling of forms."
http://www.adobe.com/cfusion/knowledgebase/index.c...
Comment 4 written by Ryan Everhart on 8 January 2007, at 10:49 AM

Ray,
Thanks for the post, I've been having this issue on my codeShare site (http://codeshare.everfro.com, shameless plug). When users submit code with JS in it the script tag gets replaced with InvalidTag. Hopefully this will help me with my issue.

Ryan
Comment 5 written by Hari on 21 May 2007, at 2:40 PM

Thanks for the post, it helped me to resolve the <InvalidTag issue that I faced.
Comment 6 written by Brandon on 3 June 2008, at 1:47 PM

Is there any way to get around this? I am working on a site that is on a shared server, and they have enabled it in the cf administrator (and won't allow it to be overridden in Application.cfc). The client needs to be able to embed flash and object files, as well as edit meta tags, but those are all rendered "invalid".
Comment 7 written by Raymond Camden on 3 June 2008, at 3:33 PM

What do they mean they won't allow you? They will kick you off the server? Nothing in CF prevents you from turning it off in App.cfc.

Unfortunately I think you are out of luck. I'd change hosts.
Comment 8 written by ColdFusion developer on 7 June 2008, at 5:22 AM

Hi guys - I have a workaround for the problem you're mentioning.

<a href="http://www.beetrootstreet.com/blog/index.cfm/2008/...;

It basically uses onRequestEnd.cfm to re-write the SCRIPT tags. It can also be adapted to work in an Application.cfc environment.

Hope it helps.

Martin
Comment 9 written by ColdFusion developer on 7 June 2008, at 5:22 AM

Seems the URL didn't insert properly. Try again..

http://www.beetrootstreet.com/blog/index.cfm/2008/...

Martin
Comment 10 written by Russ on 28 September 2009, at 8:58 AM

for some reason disabling it in the application.cfm doesn't work, you have to disable it in the cfadmin.
Comment 11 written by Raymond Camden on 28 September 2009, at 9:01 AM

I believe you are wrong Russ. The CFAPP can always overrule the CF Admin. I'd check again.
Comment 12 written by Russ on 28 September 2009, at 9:35 AM

My blogcfc has and always has had scriptrotect="none" in the cfapplication, it makes no difference, only disabling script protection in the cfadmin solves the problem. I will humor your telling me to check again and post the code here for you.

<cfapplication name="#prefix#_blog_#blogname#" sessionManagement="true" loginStorage="session" scriptprotect="none">
Comment 13 written by Raymond Camden on 28 September 2009, at 9:38 AM

Is caching turned on in the CF Admin? I mean trusted cache.
Comment 14 written by TimD on 11 February 2010, at 6:54 PM

Thank you Thank you. I was stumped where this was coming from.
Comment 15 written by ThutMose on 3 March 2010, at 1:27 PM

Ray,
I've run into the same issue that Russ did. Going to do some further testing, but with global script protect on the override in the cfapplication doesn't seem to get picked up or its not allowed. A little odd. I believe blogCFC comes out of the box that way. I've cleared the template cache just to be sure but the issue persists.
Comment 16 written by Raymond Camden on 3 March 2010, at 1:29 PM

That seems odd. I've never seen the template get overridden by the server setting before. Please let me know what you find.