ColdFusion InvalidTag issue

Recently we came across the strange issue with InvalidTag on one of our ColdFusion websites. In the admin part of the page, we have a simple TextArea field to enter contents of the mailing. Part of the text we wanted to use was the <meta> tag at the beginning. All of sudden we were receiving <InvalidTag> instead of <meta>. This InvalidTag value is placed in the POST data before OnReqestStart so this is something not related to our code.

The cause

If you are experiencing such issue, most likely the cause is hidden in your Application.cfc file. If your application has scriptProtect set to true, this is the place. The other possibility is that Enable Global Script Protection parameter is set in ColdFusion Administrator globally. Script Protection is trying to protect your website from cross-site scripting attacks and from embedding insecure code on the site. You should think twice why it is enabled. There is a possibility that you should keep this setting to keep your site secure. If you have many users which are coming from the Internet (this is not Intranet project) it can be helpful to have at least such additional layer of security. Script Protection is removing not only <meta> but also <object>, <embed>, <script>…

Protection parameters tuning

You can adjust Script Protection by adjusting the parameters in the neo-security.xml file. In the file you can adjust the regular expression which is looking for suspicious tags. There is also “InvalidTag” message so you can change it to whatever you want.

More information about application parameters can be found on the CFapplication tag documentation page.