Earlier this morning, Mingo Hagen asked a question on Twitter about using the canonicalize function available natively in ColdFusion 10 on a ColdFusion 9 server.
ColdFusion 10 contains a few new security methods (encodeForHTML, encodeForURL etc) as well as the canonicalize method, which are drawn from the ESAPI (Enterprise Security API) .jar file included in the installation. Whilst CF8 and cF9 do not have these methods exposed as native functions, they DO contain the ESAPI.jar file. ESAPI was included in ColdFusion as a hotfix for 8 and 8.0.1 (ESAPI 1.4), and ColdFusion 9 and 9.0.1 (ESAPI 2 RC). This means we can instantiate the java library and still use these security features:
<cfset strText = 'Hello, world. This is the <strong>greatest</strong> example in the world.' /> <!--- Instantiate the ESAPI object. ---> <cfset objESAPI = createObject("java","org.owasp.esapi.ESAPI") /> <!--- Assign the Encoder class to a new variable. ---> <cfset objEncoder = objESAPI.encoder() /> <!--- Canonicalize the provided string. ---> <cfset strClean = objEncoder.canonicalize(strText, false, false) /> <!--- In this example we created a separate object for the Encoder class. You could simply call the canonicalize function this way, too: <cfset strClean = objESAPI.encoder().canonicalize('whatever your input string is') /> --->
The ESAPI components and libraries are incredibly detailed and feature-rich and much more can be achieved with them, but the above code will help you instantiate the objects and use the encoding methods in earlier versions of ColdFusion (8 and 9).
I have also added the canonicalize method to my forked repository of the CFML Security project created by Pete Freitag / Foundeo last week.
You can download the fork from https://github.com/coldfumonkeh/cfml-security