Skip to content

fix: SQL injection, XSS, and CSRF security hardening#314

Merged
bpamiri merged 5 commits intomainfrom
polecat/furiosa/wd-7rl@mn2b06rd
Mar 23, 2026
Merged

fix: SQL injection, XSS, and CSRF security hardening#314
bpamiri merged 5 commits intomainfrom
polecat/furiosa/wd-7rl@mn2b06rd

Conversation

@bpamiri
Copy link
Copy Markdown
Collaborator

@bpamiri bpamiri commented Mar 22, 2026

Summary

  • SQL Injection: Parameterized all where= string interpolation across AuthController (12), BlogController (5), Controller (8), NewsletterController (4), RolesController (4), BookmarkController, ReadingHistoryController, LoginAttempt, PasswordReset, and RememberToken models
  • XSS: Added encodeForHTML() to all user content output (comments, blog titles, author names), removed unreliable markdown detection heuristic, added DOMPurify sanitization before marked.parse() innerHTML injection
  • CSRF: Added global htmx:configRequest listener for auto-injecting CSRF tokens on non-GET HTMX requests, added <meta name="csrf-token"> to both layouts, added authenticityToken to fetch POST calls in bookmark.js and reading-tracker.js

Files changed (17)

Controllers — parameterized SQL:

  • app/controllers/Controller.cfc
  • app/controllers/web/AuthController.cfc
  • app/controllers/web/BlogController.cfc
  • app/controllers/admin/NewsletterController.cfc
  • app/controllers/admin/RolesController.cfc
  • app/controllers/web/BookmarkController.cfc
  • app/controllers/web/ReadingHistoryController.cfc

Models — parameterized SQL:

  • app/models/LoginAttempt.cfc
  • app/models/PasswordReset.cfc
  • app/models/RememberToken.cfc

Views — XSS + CSRF:

  • app/views/layout.cfm — DOMPurify script + CSRF meta tag
  • app/views/admin/AdminController/layout.cfm — DOMPurify script + CSRF meta tag
  • app/views/admin/AdminController/partials/_commentView.cfm — encodeForHTML
  • app/views/web/BlogController/partials/_comment.cfm — encodeForHTML
  • app/views/web/BlogController/show.cfm — encodeForHTML + CSRF tokens

JavaScript — CSRF + DOMPurify:

  • public/javascripts/adminglobal.js — CSRF auto-injector + DOMPurify
  • public/javascripts/bookmark.js — CSRF token in fetch body
  • public/javascripts/global.js — CSRF auto-injector + DOMPurify
  • public/javascripts/reading-tracker.js — CSRF token in fetch body
  • public/javascripts/showBlog.js — DOMPurify
  • public/javascripts/lib/purify.min.js — new (DOMPurify 3.2.4)

Test plan

  • Verify login/registration/password-reset flows work (SQL parameterization in AuthController)
  • Verify blog search returns results (parameterized LIKE queries)
  • Verify blog comments render correctly with markdown (DOMPurify + marked.parse)
  • Verify bookmark toggle and reading tracker work (CSRF token in fetch)
  • Verify admin HTMX actions (role edit/delete, category edit/delete, newsletter unsubscribe) work with auto-injected CSRF
  • Verify no JavaScript console errors on blog show page (DOMPurify loaded correctly)

🤖 Generated with Claude Code

bpamiri and others added 5 commits March 22, 2026 15:24
@bpamiri
fix: parameterize SQL in models and bookmark/reading-history controll…
c80dc7b 
…ers (wd-7rl)
@bpamiri @claude
fix: parameterize SQL in admin NewsletterController and RolesControll…
53b9e6f 
…er (wd-7rl)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri @claude
fix: XSS — encodeForHTML all user content, add DOMPurify for marked.p…
9978364 
…arse (wd-9fq)

- Always encodeForHTML() comment content and blog titles server-side
- Remove unreliable markdown detection heuristic
- Add DOMPurify sanitization before marked.parse innerHTML injection
- Encode admin comment view outputs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri @claude
fix: add CSRF tokens to HTMX endpoints and fetch calls (wd-cz1)
9af14ab 
- Add global htmx:configRequest listener to auto-inject CSRF token on non-GET requests
- Add authenticityToken to bookmark.js and reading-tracker.js fetch POST calls
- Add CSRF tokens to blog show.cfm hx-post elements

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri @claude
fix: complete security fixes — SQLi in AuthController/BlogController/…
f7465b5 
…Controller, DOMPurify lib, CSRF meta tags, fullName XSS

- Parameterize all remaining where= string interpolation in AuthController (12 locations),
  BlogController (5 locations), and Controller (8 locations)
- Add purify.min.js (DOMPurify 3.2.4) to public/javascripts/lib/
- Add <meta name="csrf-token"> to both layout.cfm and admin layout.cfm
- Encode fullName in show.cfm comment rendering (lines 139, 192)
- Add authenticityToken to bookmark.js and reading-tracker.js fetch body params

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri bpamiri merged commit 0f3723a into main Mar 23, 2026
1 check passed
@bpamiri bpamiri deleted the polecat/furiosa/wd-7rl@mn2b06rd branch March 23, 2026 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bpamiri