fix: complete security fixes — SQLi in AuthController/BlogController/Controller, DOMPurify lib, CSRF meta tags, fullName XSS

bpamiri · claude · bpamiri · commit f7465b5b5086 · 2026-03-22T16:01:28.000-07:00
- Parameterize all remaining where= string interpolation in AuthController (12 locations),
  BlogController (5 locations), and Controller (8 locations)
- Add purify.min.js (DOMPurify 3.2.4) to public/javascripts/lib/
- Add &lt;meta name="csrf-token"&gt; to both layout.cfm and admin layout.cfm
- Encode fullName in show.cfm comment rendering (lines 139, 192)
- Add authenticityToken to bookmark.js and reading-tracker.js fetch body params

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/app/controllers/Controller.cfc b/app/controllers/Controller.cfc
@@ -65,7 +65,8 @@ component extends="wheels.Controller" {
         var accesspermission = model("RolePermission").findAll(
             select="roleId, permissionId, name, permissionName, permissionstatus, controller, permissiondescription",
             include="Role, Permission",
-            where="name = '#session.role#' AND permissions.Name = '#action#' AND permissions.controller = '#controller#'"
+            where="name = :roleName AND permissions.Name = :actionName AND permissions.controller = :controllerName",
+            params={roleName={value=session.role, cfsqltype="cf_sql_varchar"}, actionName={value=action, cfsqltype="cf_sql_varchar"}, controllerName={value=controller, cfsqltype="cf_sql_varchar"}}
             );
         if(accesspermission.recordCount == 0){
             if (structKeyExists(getHttpRequestData().headers, "HX-Request")) {
@@ -102,15 +103,17 @@ component extends="wheels.Controller" {
     // Shared business logic across multiple controllers
     public function getBlogBySlug(required string slug) {
         return model("Blog").findOne(
-            where="blog_posts.slug = '#arguments.slug#' AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#now()#'",
+            where="blog_posts.slug = :slug AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= :now",
+            params={slug={value=arguments.slug, cfsqltype="cf_sql_varchar"}, now={value=now(), cfsqltype="cf_sql_timestamp"}},
             include="User,PostStatus",
             cache=10
         );
     }
 
     function getTagsByBlogid(required numeric id) {
         return model("BlogTag").findAll(
-            where="blogId = #arguments.id#",
+            where="blogId = :blogId",
+            params={blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
             include="Tag",
             cache=10
         );
@@ -119,7 +122,8 @@ component extends="wheels.Controller" {
 
     function getCategoriesByBlogid(required numeric id) {
         return model("BlogCategory").findAll(
-            where = "blogId = #arguments.id#",
+            where = "blogId = :blogId",
+            params = {blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
             include = "Blog,Category",
             cache = 10
         );
@@ -387,7 +391,7 @@ component extends="wheels.Controller" {
         string url = "",
         string isSubscriber = ""
     ) {
-        var emaildata = model("emailTemplate").findAll(where="title = '#arguments.templateTitle#'", cache=10);
+        var emaildata = model("emailTemplate").findAll(where="title = :templateTitle", params={templateTitle={value=arguments.templateTitle, cfsqltype="cf_sql_varchar"}}, cache=10);
         if (!emaildata.recordCount) return false;
         var emailparams = {
             "name" = arguments.recipientName,
@@ -444,7 +448,8 @@ component extends="wheels.Controller" {
             }
 
             var existingBlog = model("Blog").findFirst(
-                where="title = '#params.title#' AND slug = '#params.slug#' AND id != #blogId#"
+                where="title = :title AND slug = :slug AND id != :blogId",
+                params={title={value=params.title, cfsqltype="cf_sql_varchar"}, slug={value=params.slug, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}}
             );
 
             if (isObject(existingBlog)) {
@@ -508,7 +513,7 @@ component extends="wheels.Controller" {
     function deleteBlogTags(required blogId) {
         try {
             if (!isEmpty(blogId)) {
-                model("BlogTag").deleteAll(where="blogId = #arguments.blogId#");
+                model("BlogTag").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
             }
         } catch (any e) {
             model("Log").log(
@@ -531,7 +536,7 @@ component extends="wheels.Controller" {
     function deleteBlogCategories(required blogId) {
         try {
             if (!isEmpty(blogId)) {
-                model("BlogCategory").deleteAll(where="blogId = #arguments.blogId#");
+                model("BlogCategory").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
             }
         } catch (any e) {
             model("Log").log(
diff --git a/app/controllers/web/AuthController.cfc b/app/controllers/web/AuthController.cfc
@@ -53,7 +53,7 @@ component extends="app.Controllers.Controller" {
                 }
             );
             // Check if user exists first (regardless of status)
-            var existingUser = model("User").findOne(where="email = '#params.email#'", include="Role");
+            var existingUser = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}}, include="Role");
             
             // If user doesn't exist, send registration invitation but return generic message
             if (!isObject(existingUser)) {
@@ -81,7 +81,7 @@ component extends="app.Controllers.Controller" {
             // Check if user is locked out
             if (model("LoginAttempt").isUserLocked(params.email)) {
                 // Check if it's a manual lock by admin
-                var user = model("User").findOne(where="email = '#params.email#'");
+                var user = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});
                 var isManuallyLocked = isObject(user) && structKeyExists(user, "locked") && user.locked;
                 
                 model("Log").log(
@@ -303,7 +303,7 @@ component extends="app.Controllers.Controller" {
 
             // Check if user needs to submit testimonial
             if (isObject(user.role) && user.role.name != 'Admin') {
-                var testimonial = model("Testimonial").findOne(where="userId = #val(user.id)#");
+                var testimonial = model("Testimonial").findOne(where="userId = :userId", params={userId={value=val(user.id), cfsqltype="cf_sql_integer"}});
                 
                 model("Log").log(
                     category = "wheels.auth",
@@ -369,7 +369,7 @@ component extends="app.Controllers.Controller" {
                 if (structKeyExists(cookie, "remember_me")) {
                     var rawToken = cookie.remember_me;
                     var hashedToken = hash(rawToken, "SHA-256");
-                    var rememberToken = model("RememberToken").findOne(where="token = '#hashedToken#'");
+                    var rememberToken = model("RememberToken").findOne(where="token = :token", params={token={value=hashedToken, cfsqltype="cf_sql_varchar"}});
                     if (isObject(rememberToken)) {
                         rememberToken.delete();
                     }
@@ -451,7 +451,7 @@ component extends="app.Controllers.Controller" {
                 return;
             }
             // Check for duplicate email before calling saveUser
-            var existingUser = model("User").findFirst(where="email = '#params.email#'");
+            var existingUser = model("User").findFirst(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});
             if (isObject(existingUser)) {
                 renderText("<p style='color:red;'>An account with this email address already exists.</p>");
                 return;
@@ -608,7 +608,7 @@ component extends="app.Controllers.Controller" {
     }
 
     private function validateCredentials(required string email, required string password) {
-        var user = model("User").findOne(where="email = '#email#' AND status = 'True'", include="Role");
+        var user = model("User").findOne(where="email = :email AND status = 'True'", params={email={value=email, cfsqltype="cf_sql_varchar"}}, include="Role");
         if (!isObject(user)) {
             return false; // User not found
         }
@@ -749,7 +749,7 @@ component extends="app.Controllers.Controller" {
             // Skip email sending in test mode
             return true;
         }
-        var user = model("User").findOne(where="email = '#email#'");
+        var user = model("User").findOne(where="email = :email", params={email={value=email, cfsqltype="cf_sql_varchar"}});
         if (!isObject(user)) return false;
         var verifyUrl = urlFor(action="verify", onlyPath=false) & "?token=" & token;
         return sendTemplateEmail("Sign Up Account Verification", user.email, user.fullname, verifyUrl);
@@ -791,7 +791,7 @@ component extends="app.Controllers.Controller" {
         
         try {
             // Check if user already has a verification token
-            var existingToken = model("UserToken").findOne(where="user_id = #val(user.id)# AND status = 'false'");
+            var existingToken = model("UserToken").findOne(where="user_id = :userId AND status = 'false'", params={userId={value=val(user.id), cfsqltype="cf_sql_integer"}});
             
             if (!isObject(existingToken)) {
                 // Generate a new verification token
@@ -828,7 +828,7 @@ component extends="app.Controllers.Controller" {
 
     private function verifyToken(required string token) {
         var message="";
-        var tokenRecord = model("UserToken").findOne(where="token = '#token#'");
+        var tokenRecord = model("UserToken").findOne(where="token = :token", params={token={value=token, cfsqltype="cf_sql_varchar"}});
 
         if (isObject(tokenRecord)) {
             // Check if token has expired
@@ -854,7 +854,7 @@ component extends="app.Controllers.Controller" {
     }
 
     private boolean function isRateLimited(required string ipAddress) {
-        var attempts = model("LoginAttempt").findAll(where="ip_address = '#ipAddress#' AND created_at > '#dateTimeFormat(dateAdd("n", -15, now()), "yyyy-MM-dd HH:nn:ss")#'");
+        var attempts = model("LoginAttempt").findAll(where="ip_address = :ipAddress AND created_at > :cutoff", params={ipAddress={value=ipAddress, cfsqltype="cf_sql_varchar"}, cutoff={value=dateTimeFormat(dateAdd("n", -15, now()), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}});
         return attempts.recordCount >= 3;
     }
 
@@ -919,7 +919,7 @@ component extends="app.Controllers.Controller" {
         param name="params.email" default="";
         
         try {
-            var user = model("User").findOne(where="email = '#params.email#'");
+            var user = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});
 
             if (isObject(user)) {
                 // Generate reset token
@@ -971,7 +971,8 @@ component extends="app.Controllers.Controller" {
         
         try {
             var reset = model("PasswordReset").findOne(
-                where="token = '#params.token#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#' AND used = 0"
+                where="token = :token AND expiresAt > :now AND used = 0",
+                params={token={value=params.token, cfsqltype="cf_sql_varchar"}, now={value=dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}}
             );
 
             if (!isObject(reset)) {
@@ -1004,7 +1005,8 @@ component extends="app.Controllers.Controller" {
         try {
             // Validate token
             var reset = model("PasswordReset").findOne(
-                where="token = '#params.token#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#' AND used = 0"
+                where="token = :token AND expiresAt > :now AND used = 0",
+                params={token={value=params.token, cfsqltype="cf_sql_varchar"}, now={value=dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}}
             );
 
             if (!isObject(reset)) {
diff --git a/app/controllers/web/BlogController.cfc b/app/controllers/web/BlogController.cfc
@@ -348,7 +348,7 @@ component extends="app.Controllers.Controller" {
 			return Val(authorParam);
 		} else {
 			// Lookup user by username
-			var user = model("user").findOne(where = "username = '#arguments.authorParam#'");
+			var user = model("user").findOne(where = "username = :username", params={username={value=arguments.authorParam, cfsqltype="cf_sql_varchar"}});
 			if (IsObject(user)) {
 				return user.id;
 			} else {
@@ -374,7 +374,8 @@ component extends="app.Controllers.Controller" {
 		if (Len(Trim(searchTerm))) {
 			var searchPattern = "%#searchTerm#%";
 			var query = model("blog").findAll(
-				where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')",
+				where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
+				params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}},
 				include = "User, PostStatus, PostType",
 				order = "publishedAt DESC",
 				page = page,
@@ -384,7 +385,8 @@ component extends="app.Controllers.Controller" {
 			if (isInfiniteScroll) {
 				totalCount = model("blog").count(
 					include = "User, PostStatus, PostType",
-					where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')"
+					where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
+					params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}}
 				);
 				hasMore = (page * perPage) < totalCount;
 				isSearched = true;
@@ -619,7 +621,7 @@ component extends="app.Controllers.Controller" {
 
 			// Allow title change and check uniqueness
 			if (StructKeyExists(params, "title")) {
-				var existingBlog = model("Blog").findFirst(where = "title = '#params.title#' AND id != #blogId#");
+				var existingBlog = model("Blog").findFirst(where = "title = :title AND id != :blogId", params={title={value=params.title, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}});
 				if (IsObject(existingBlog)) {
 					result.success = false;
 					result.message = "A blog post with this title already exists.";
@@ -706,13 +708,15 @@ component extends="app.Controllers.Controller" {
 			);
 
 			if (StructKeyExists(form, "title")) {
-				var whereClause = "title = '#form.title#'";
+				var queryParams = {title={value=form.title, cfsqltype="cf_sql_varchar"}};
+				var whereClause = "title = :title";
 
 				if (StructKeyExists(form, "id") && IsNumeric(form.id) && form.id > 0) {
-					whereClause &= " AND id != #form.id#";
+					whereClause &= " AND id != :formId";
+					queryParams.formId = {value=form.id, cfsqltype="cf_sql_integer"};
 				}
 
-				var blogModel = model("Blog").findAll(where = whereClause);
+				var blogModel = model("Blog").findAll(where = whereClause, params = queryParams);
 
 				if (blogModel.recordCount != 0) {
 					renderText('<span class="text-danger">A blog already exists with this title!</span><input type="hidden" id="titleExists" value="1">');
diff --git a/app/views/admin/AdminController/layout.cfm b/app/views/admin/AdminController/layout.cfm
@@ -1,6 +1,7 @@
 <html lang="en">
 <head>
     <cfoutput>#csrfMetaTags()#</cfoutput>
+    <cfoutput><meta name="csrf-token" content="#authenticityToken()#"></cfoutput>
     <meta charset="UTF-8">
     <title>Admin Panel</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
diff --git a/app/views/layout.cfm b/app/views/layout.cfm
@@ -258,6 +258,7 @@
 	<html lang="en">
 		<head>
 			<cfoutput>#csrfMetaTags()#</cfoutput>
+			<cfoutput><meta name="csrf-token" content="#authenticityToken()#"></cfoutput>
 			<meta charset="UTF-8">
 			<meta name="viewport" content="width=device-width, initial-scale=1.0">
 			<title><cfoutput>#encodeForHTML(pageTitle)#</cfoutput></title>
diff --git a/app/views/web/BlogController/show.cfm b/app/views/web/BlogController/show.cfm
@@ -136,7 +136,7 @@
                                                         </div>
                                                     </div>
                                                     <div class="p-3 rounded-4 flex-grow-1 bg-light">
-                                                        <h6 class="fs-16 fw-bold">#fullName#</h6>
+                                                        <h6 class="fs-16 fw-bold">#encodeForHTML(fullName)#</h6>
                                                         <p class="fs-14 fw-normal text-dark markdown-content">#encodeForHTML(content)#</p>
                                                         <div class="d-flex flex-wrap justify-content-end align-items-center gap-4">
                                                             <cfif isLoggedInUser()>
@@ -189,7 +189,7 @@
                                                                 </div>
                                                             </div>
                                                             <div class="p-3 rounded-4 flex-grow-1 bg-light">
-                                                                <h6 class="fs-16 fw-bold">#fullName#</h6>
+                                                                <h6 class="fs-16 fw-bold">#encodeForHTML(fullName)#</h6>
 
                                                                 <p class="fs-14 fw-normal text-dark markdown-content">#encodeForHTML(content)#</p>
                                                                 <div class="d-flex cursor-pointer align-items-center justify-content-end gap-2">
diff --git a/public/javascripts/bookmark.js b/public/javascripts/bookmark.js
@@ -8,7 +8,7 @@ function toggleBookmark(blogId, button) {
       'Content-Type': 'application/json',
       'X-CSRF-TOKEN': tokenValue
     },
-    body: JSON.stringify({blogId: blogId})
+    body: JSON.stringify({blogId: blogId, authenticityToken: document.querySelector('meta[name="csrf-token"]')?.getAttribute('content') || ''})
   })
   .then(response => response.json())
   .then(data => {
diff --git a/public/javascripts/lib/purify.min.js b/public/javascripts/lib/purify.min.js
diff --git a/public/javascripts/reading-tracker.js b/public/javascripts/reading-tracker.js
@@ -32,7 +32,7 @@ class ReadingTracker {
         'Content-Type': 'application/json',
         'X-CSRF-TOKEN': this.csrfToken
       },
-      body: JSON.stringify({blogId: this.blogId})
+      body: JSON.stringify({blogId: this.blogId, authenticityToken: this.csrfToken})
     });
   }
 
@@ -43,7 +43,7 @@ class ReadingTracker {
         'Content-Type': 'application/json',
         'X-CSRF-TOKEN': this.csrfToken
       },
-      body: JSON.stringify({blogId: this.blogId})
+      body: JSON.stringify({blogId: this.blogId, authenticityToken: this.csrfToken})
     });
     clearInterval(this.trackingInterval);
   }
