To truly use best practices you can do a lot of code development, or, fall back to a project that has already proven its merit through many years of practical use.
I am referring to the OWASP Enterprise Security API (ESAPI). Unfortunately, getting this puppy running in any shape requires some reading muscle and some luck and some powers of deduction.
I am summarizing here the findings, so you don’t have to run through the maze of options and boiling it down to something simple.
First, you will have to download the jar file (as of this writing it would be esapi-2.0.1). The download is around 14MB but you only need the esapi-2.0.1.jar file. Copy the jar file to (backup any esapi file that already exists in there first):
[cfroot]/wwwroot/WEB-INF/lib in Adobe Coldfusion.
WEB-INF/lib in Railo
Then, download a good ESAPI.properties file. Most of my head banging and hair ripping surrounds finding the property definitions. Can’t stress this enough. Start with the one from source code it has good comments. Go through this file carefully and make needed changes. Make sure all directories referenced in the properties file actually exist on your drive system and also change default Encryptor.MasterKey and Encryptor.MasterSalt to something you are comfortable with, e.g. do not use something like this:
Encryptor.MasterKey=changeme
Encryptor.MasterSalt=blah
After you made changes save it (e.g. c:\esapi\files).
Thirdly, make environment start up changes.
If you are using Adobe Coldfusion you will need to change the JVM startup properties in CF Administrator to add a property and point to place where you placed ESAPI.properties file. E.g.:
-D org.owasp.esapi.resources=c:\esapi\files
For Railo, the above is done in Tomcat/Jetty startup parameters.
Fourthly, change classpath (Yep, you heard right change JAVA classpath): Add the directory you placed the properties file in to Java classpath. This is something that had me stumped as well.
After all of the above, give your server a good schake (restart), and then test whether all works.
Simple code snippet:
<cfset esapi = CreateObject("java","org.owasp.esapi.ESAPI")> <cfset encoder = esapi.encoder()> <cfoutput> <cfset myInput="<script>some input for html context; alert('doing something you don't want');</script>"> #now()# <br/> #encoder.encodeForHTML(JavaCast("string", myInput))# </cfoutput>
The good news is that Adobe is looking into bundling this in the future so you don’t have to. However, in the meantime this is good practice ;o)
Best,
B.