Why is invalidTag appearing in Lucee and ColdFusion?

It is frustrating – you are trying to send some form data, and instead of the original text, you got the contents with some HTML tags replaced with InvalidTag. For instance, if you want to send <iframe> or <script> you are receiving <invalidTag> instead. Why is this happening?

This is due to the Cross-site scripting protection offered by ColdFusion and Lucee engines. It is designed to replace certain HTML tags with the “invalidTag” placeholder to prevent such pieces of code from running. Here is the sample data sent using the form:

And here is how it is displayed once processed by ColdFusion or Lucee engine:

So, what if you want to be able to handle such tags in your forms? You should turn off this protection. Please, however, consider if this will not provide a security breach to your site. If the form can be submitted by your users, you have no control over the contents of the form. In such a case, you should handle possible Cross-site Scripting attacks on your own.

In Coldfusion the switch for the script protection is located in Admin -> Settings:

Once checked, the “unsafe” tags are replaced. If you want to turn it off, you should uncheck this box.

In Lucee, you can fine-tune the protection. The switch is located in Settings -> Request:

As you can see, you can not only turn this on or off completely, but you can select which scopes should be handled by this protection mechanism.

Once again – you should consider what is best for your site. Turning this protection off completely may lead to an increased security risk. In such a case, you should consider other ways of preventing Cross-site scripting attacks.