Where the heck is InvalidTag coming from?

I've gotten this question many times so I thought I'd write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things.

Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

This is a feature that helps prevent cross-site scripting attacks. Personally I don't use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:

Settings Page

So - raise your hand if you've seen this and had no idea what it was!

Comments (9) Jan 5, 2007 6:44 PM Views: 2218

Comments

[Add Comment]
And the string "invalidTag" is defined in the neo-security.xml as well as the regex pattern used to check for scripting hacks.

<code>
<var name="CrossSiteScriptPatterns">
            <struct type="coldfusion.server.ConfigMap">
               <var name="&lt;\s*(object|embed|script|applet|meta)">
                     <string>&lt;InvalidTag</string>
               </var>
            </struct>
         </var>
</code>
# Posted By Mike Nimer | 1/5/07 10:39 PM
theres currently a secunia vulnerability listed for the cross site scripting feature as well. It was entered on 12 Dec 06 and is said to allow you to get around the feature.

http://secunia.com/advisories/23281/
# Posted By DK | 1/6/07 7:37 AM
Might this be what the latest hotfix (2006-11-30) fixes?
"64586    Hot fix to resolve a possible cross-site scripting (XSS) vulnerability in ColdFusion's handling of forms."
http://www.adobe.com/cfusion/knowledgebase/index.c...
# Posted By Stefan | 1/6/07 5:53 PM
Ray,
Thanks for the post, I've been having this issue on my codeShare site (http://codeshare.everfro.com, shameless plug). When users submit code with JS in it the script tag gets replaced with InvalidTag. Hopefully this will help me with my issue.

Ryan
# Posted By Ryan Everhart | 1/8/07 10:49 AM
Thanks for the post, it helped me to resolve the <InvalidTag issue that I faced.
# Posted By Hari | 5/21/07 2:40 PM
Is there any way to get around this? I am working on a site that is on a shared server, and they have enabled it in the cf administrator (and won't allow it to be overridden in Application.cfc). The client needs to be able to embed flash and object files, as well as edit meta tags, but those are all rendered "invalid".
# Posted By Brandon | 6/3/08 1:47 PM
What do they mean they won't allow you? They will kick you off the server? Nothing in CF prevents you from turning it off in App.cfc.

Unfortunately I think you are out of luck. I'd change hosts.
# Posted By Raymond Camden | 6/3/08 3:33 PM
Hi guys - I have a workaround for the problem you're mentioning.

<a href="http://www.beetrootstreet.com/blog/index.cfm/2008/...;

It basically uses onRequestEnd.cfm to re-write the SCRIPT tags. It can also be adapted to work in an Application.cfc environment.

Hope it helps.

Martin
# Posted By ColdFusion developer | 6/7/08 5:22 AM
Seems the URL didn't insert properly. Try again..

http://www.beetrootstreet.com/blog/index.cfm/2008/...

Martin
# Posted By ColdFusion developer | 6/7/08 5:22 AM
[Add Comment]