Most ColdFusion programmers know that client-side form validation performed using JavaScript is insecure. Thus it can't be used by itself. JavaScript form validation isn't created for the purpose of securing the application, it's created to improve the user experience for users who aren't malicious. But we also need to account for those few rotten apples who, given half a chance, will spoil it for the rest of us.
So we need server side validation. What a lot of ColdFusion programmers DON'T realize is that the server-side form validation in ColdFusion is insecure. Here's an example:
Sorry for the formatting, I didn't write that XSL.
This form is created using this CFML code:
<cfform action="#cgi.SCRIPT_NAME#" format="xml"> <cfinput type="hidden" name="submitted" value="true" /> <cfinput type="text" name="name" label="Name" value="#form.name#" required="true" validateat="onserver" /> <cfinput type="text" name="email" label="Email Address" value="#form.email#" required="true" validate="email" validateat="onserver" /> <cftextarea name="message" label="Message" value="#form.message#" required="true" validateat="onserver" /> <cfinput type="submit" name="submit" value="Submit" /> </cfform>
This is trivially easy to bypass. I use Firefox as my browser, not because I think it's any better as a browser, but because the developer tools built into the browser are really helpful. One of those tools is DOM introspection, which I access by right-clicking on an element in a web page and selecting "inspect element" shown in the image below.
This opens a new panel in the browser showing me all the source code for the page, where I scroll up to find the form tag created by CFFORM. Unlike a simple "view source" command, the DOM introspection allows me to modify the contents of the html tag attributes. So in this case I just select the onsubmit attribute and delete the value.
Then I go back to the web page, click the "submit" button and Viola! CFFORM server-side validation bypassed, showing me the data below:
I actually have not used CFFORM in a while. This is on ColdFusion 8 and I just realized actually that the server-side validation in this version is a step backward from the previous versions. In previous versions the CFFORM tag would include several hidden form fields with names like "email_required" and then when you submitted the form you'd get an error like this one:
You can still manually include those same hidden form fields if you want to and the server will produce an error message like the one above. The problem is that it won't give you any extra protection against malicious users, because it's just as easy in firefox to rename those hidden form fields. Okay it's not just as easy -- it requires a little more typing. But you're not going to dissuade a malicious user by making them type. No hacker has ever said "oh gosh! I have to type out five of these things! I give up!" If they gave up that easily, security would never be a problem.
In essence, there is no such thing as "server side" form validation using CFFORM, in spite of the fact that the documentation claims that there is.
The onTap framework however, through its unique HTML library feature provides a way to just as easily create forms that actually do provide sophisticated server-side form validation that can't be bypassed in this way or any other way, because they depend on variables the user can't modifiy.