Skip to content

fix: SQL injection, XSS, and CSRF security hardening #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bpamiri merged 5 commits into from
Mar 23, 2026
Merged

fix: SQL injection, XSS, and CSRF security hardening #314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c80dc7b
fix: parameterize SQL in models and bookmark/reading-history controll…
bpamiri Mar 22, 2026
53b9e6f
fix: parameterize SQL in admin NewsletterController and RolesControll…
bpamiri Mar 22, 2026
9978364
fix: XSS — encodeForHTML all user content, add DOMPurify for marked.p…
bpamiri Mar 22, 2026
9af14ab
fix: add CSRF tokens to HTMX endpoints and fetch calls (wd-cz1)
bpamiri Mar 22, 2026
f7465b5
fix: complete security fixes — SQLi in AuthController/BlogController/…
bpamiri Mar 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 13 additions & 8 deletions app/controllers/Controller.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@ component extends="wheels.Controller" {
var accesspermission = model("RolePermission").findAll(
select="roleId, permissionId, name, permissionName, permissionstatus, controller, permissiondescription",
include="Role, Permission",
where="name = '#session.role#' AND permissions.Name = '#action#' AND permissions.controller = '#controller#'"
where="name = :roleName AND permissions.Name = :actionName AND permissions.controller = :controllerName",
params={roleName={value=session.role, cfsqltype="cf_sql_varchar"}, actionName={value=action, cfsqltype="cf_sql_varchar"}, controllerName={value=controller, cfsqltype="cf_sql_varchar"}}
);
if(accesspermission.recordCount == 0){
if (structKeyExists(getHttpRequestData().headers, "HX-Request")) {
Expand Down Expand Up @@ -102,15 +103,17 @@ component extends="wheels.Controller" {
// Shared business logic across multiple controllers
public function getBlogBySlug(required string slug) {
return model("Blog").findOne(
where="blog_posts.slug = '#arguments.slug#' AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#now()#'",
where="blog_posts.slug = :slug AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= :now",
params={slug={value=arguments.slug, cfsqltype="cf_sql_varchar"}, now={value=now(), cfsqltype="cf_sql_timestamp"}},
include="User,PostStatus",
cache=10
);
}

function getTagsByBlogid(required numeric id) {
return model("BlogTag").findAll(
where="blogId = #arguments.id#",
where="blogId = :blogId",
params={blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
include="Tag",
cache=10
);
Expand All @@ -119,7 +122,8 @@ component extends="wheels.Controller" {

function getCategoriesByBlogid(required numeric id) {
return model("BlogCategory").findAll(
where = "blogId = #arguments.id#",
where = "blogId = :blogId",
params = {blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
include = "Blog,Category",
cache = 10
);
Expand Down Expand Up @@ -387,7 +391,7 @@ component extends="wheels.Controller" {
string url = "",
string isSubscriber = ""
) {
var emaildata = model("emailTemplate").findAll(where="title = '#arguments.templateTitle#'", cache=10);
var emaildata = model("emailTemplate").findAll(where="title = :templateTitle", params={templateTitle={value=arguments.templateTitle, cfsqltype="cf_sql_varchar"}}, cache=10);
if (!emaildata.recordCount) return false;
var emailparams = {
"name" = arguments.recipientName,
Expand Down Expand Up @@ -444,7 +448,8 @@ component extends="wheels.Controller" {
}

var existingBlog = model("Blog").findFirst(
where="title = '#params.title#' AND slug = '#params.slug#' AND id != #blogId#"
where="title = :title AND slug = :slug AND id != :blogId",
params={title={value=params.title, cfsqltype="cf_sql_varchar"}, slug={value=params.slug, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}}
);

if (isObject(existingBlog)) {
Expand Down Expand Up @@ -508,7 +513,7 @@ component extends="wheels.Controller" {
function deleteBlogTags(required blogId) {
try {
if (!isEmpty(blogId)) {
model("BlogTag").deleteAll(where="blogId = #arguments.blogId#");
model("BlogTag").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
}
} catch (any e) {
model("Log").log(
Expand All @@ -531,7 +536,7 @@ component extends="wheels.Controller" {
function deleteBlogCategories(required blogId) {
try {
if (!isEmpty(blogId)) {
model("BlogCategory").deleteAll(where="blogId = #arguments.blogId#");
model("BlogCategory").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
}
} catch (any e) {
model("Log").log(
Expand Down
15 changes: 11 additions & 4 deletions app/controllers/admin/NewsletterController.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ component extends="app.Controllers.Controller" {
);

if (type == "user") {
var user = model("User").findOne(where="email = '#email#'");
var user = model("User").findOne(where="email = :email", params={email={value=email, cfsqltype="cf_sql_varchar"}});
if (isObject(user)) {
user.update(newsletter=false);
model("Log").log(
Expand All @@ -227,7 +227,7 @@ component extends="app.Controllers.Controller" {
};
}
} else {
var subscriber = model("NewsletterSubscriber").findOne(where="email = '#email#'");
var subscriber = model("NewsletterSubscriber").findOne(where="email = :email", params={email={value=email, cfsqltype="cf_sql_varchar"}});
if (isObject(subscriber)) {
subscriber.update(status="inactive");
model("Log").log(
Expand Down Expand Up @@ -369,7 +369,11 @@ component extends="app.Controllers.Controller" {

if (len(trim(searchTerm))) {
// Search in users table
var userSubscribers = model("User").findAll(where="newsletter = 1 AND (email LIKE '%#searchTerm#%' OR firstname LIKE '%#searchTerm#%' OR lastname LIKE '%#searchTerm#%')");
var searchPattern = "%" & searchTerm & "%";
var userSubscribers = model("User").findAll(
where="newsletter = 1 AND (email LIKE :term OR firstname LIKE :term OR lastname LIKE :term)",
params={term={value=searchPattern, cfsqltype="cf_sql_varchar"}}
);
for (var user in userSubscribers) {
subscribers.append({
email: user.email,
Expand All @@ -380,7 +384,10 @@ component extends="app.Controllers.Controller" {
}

// Search in newsletter_subscribers table
var nonUserSubscribers = model("NewsletterSubscriber").findAll(where="email LIKE '%#searchTerm#%'");
var nonUserSubscribers = model("NewsletterSubscriber").findAll(
where="email LIKE :term",
params={term={value=searchPattern, cfsqltype="cf_sql_varchar"}}
);
for (var subscriber in nonUserSubscribers) {
subscribers.append({
email: subscriber.email,
Expand Down
8 changes: 4 additions & 4 deletions app/controllers/admin/RolesController.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ component extends="app.Controllers.Controller" {
if(id > 0) {
role = model("role").findByKey(params.id);
permissions = model("permission").findAll();
activePermission = model("RolePermission").findAll(select="permissionId", where="roleId = #val(params.id)#");
activePermission = model("RolePermission").findAll(select="permissionId", where="roleId = :roleId", params={roleId={value=val(params.id), cfsqltype="cf_sql_integer"}});
existingPermissionIds = [];
for (row in activePermission) {
arrayAppend(existingPermissionIds, row.permissionId);
Expand All @@ -32,7 +32,7 @@ component extends="app.Controllers.Controller" {
}

function checkRoleExistance(){
var checkExistingRole = model("Role").findAll(where="name = '#params.Name#'");
var checkExistingRole = model("Role").findAll(where="name = :name", params={name={value=params.Name, cfsqltype="cf_sql_varchar"}});
if(checkExistingRole.recordcount != 0){
renderText('<p class="fs-12 ms-2">A role already exist with this name! Role name must be unique.');
return;
Expand All @@ -43,7 +43,7 @@ component extends="app.Controllers.Controller" {

function store(){
try {
var checkExistingRole = model("Role").findAll(where="name = '#params.Name#'");
var checkExistingRole = model("Role").findAll(where="name = :name", params={name={value=params.Name, cfsqltype="cf_sql_varchar"}});
if(checkExistingRole.recordcount != 0 && params.id == 0){
redirectTo(action="index", error="A role already exist with name' #params.Name#'. Role name must be unique.");
return;
Expand Down Expand Up @@ -85,7 +85,7 @@ component extends="app.Controllers.Controller" {

// Update role permissions
permissionList = [];
model("RolePermission").deleteAll(where="roleId = #val(RoleData.id)#");
model("RolePermission").deleteAll(where="roleId = :roleId", params={roleId={value=val(RoleData.id), cfsqltype="cf_sql_integer"}});
for (fieldName in RoleData) {
if (left(fieldName, 11) == "permission-") {
// Extract the numeric part after the dash
Expand Down
28 changes: 15 additions & 13 deletions app/controllers/web/AuthController.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ component extends="app.Controllers.Controller" {
}
);
// Check if user exists first (regardless of status)
var existingUser = model("User").findOne(where="email = '#params.email#'", include="Role");
var existingUser = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}}, include="Role");

// If user doesn't exist, send registration invitation but return generic message
if (!isObject(existingUser)) {
Expand Down Expand Up @@ -81,7 +81,7 @@ component extends="app.Controllers.Controller" {
// Check if user is locked out
if (model("LoginAttempt").isUserLocked(params.email)) {
// Check if it's a manual lock by admin
var user = model("User").findOne(where="email = '#params.email#'");
var user = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});
var isManuallyLocked = isObject(user) && structKeyExists(user, "locked") && user.locked;

model("Log").log(
Expand Down Expand Up @@ -303,7 +303,7 @@ component extends="app.Controllers.Controller" {

// Check if user needs to submit testimonial
if (isObject(user.role) && user.role.name != 'Admin') {
var testimonial = model("Testimonial").findOne(where="userId = #val(user.id)#");
var testimonial = model("Testimonial").findOne(where="userId = :userId", params={userId={value=val(user.id), cfsqltype="cf_sql_integer"}});

model("Log").log(
category = "wheels.auth",
Expand Down Expand Up @@ -369,7 +369,7 @@ component extends="app.Controllers.Controller" {
if (structKeyExists(cookie, "remember_me")) {
var rawToken = cookie.remember_me;
var hashedToken = hash(rawToken, "SHA-256");
var rememberToken = model("RememberToken").findOne(where="token = '#hashedToken#'");
var rememberToken = model("RememberToken").findOne(where="token = :token", params={token={value=hashedToken, cfsqltype="cf_sql_varchar"}});
if (isObject(rememberToken)) {
rememberToken.delete();
}
Expand Down Expand Up @@ -451,7 +451,7 @@ component extends="app.Controllers.Controller" {
return;
}
// Check for duplicate email before calling saveUser
var existingUser = model("User").findFirst(where="email = '#params.email#'");
var existingUser = model("User").findFirst(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});
if (isObject(existingUser)) {
renderText("<p style='color:red;'>An account with this email address already exists.</p>");
return;
Expand Down Expand Up @@ -608,7 +608,7 @@ component extends="app.Controllers.Controller" {
}

private function validateCredentials(required string email, required string password) {
var user = model("User").findOne(where="email = '#email#' AND status = 'True'", include="Role");
var user = model("User").findOne(where="email = :email AND status = 'True'", params={email={value=email, cfsqltype="cf_sql_varchar"}}, include="Role");
if (!isObject(user)) {
return false; // User not found
}
Expand Down Expand Up @@ -749,7 +749,7 @@ component extends="app.Controllers.Controller" {
// Skip email sending in test mode
return true;
}
var user = model("User").findOne(where="email = '#email#'");
var user = model("User").findOne(where="email = :email", params={email={value=email, cfsqltype="cf_sql_varchar"}});
if (!isObject(user)) return false;
var verifyUrl = urlFor(action="verify", onlyPath=false) & "?token=" & token;
return sendTemplateEmail("Sign Up Account Verification", user.email, user.fullname, verifyUrl);
Expand Down Expand Up @@ -791,7 +791,7 @@ component extends="app.Controllers.Controller" {

try {
// Check if user already has a verification token
var existingToken = model("UserToken").findOne(where="user_id = #val(user.id)# AND status = 'false'");
var existingToken = model("UserToken").findOne(where="user_id = :userId AND status = 'false'", params={userId={value=val(user.id), cfsqltype="cf_sql_integer"}});

if (!isObject(existingToken)) {
// Generate a new verification token
Expand Down Expand Up @@ -828,7 +828,7 @@ component extends="app.Controllers.Controller" {

private function verifyToken(required string token) {
var message="";
var tokenRecord = model("UserToken").findOne(where="token = '#token#'");
var tokenRecord = model("UserToken").findOne(where="token = :token", params={token={value=token, cfsqltype="cf_sql_varchar"}});

if (isObject(tokenRecord)) {
// Check if token has expired
Expand All @@ -854,7 +854,7 @@ component extends="app.Controllers.Controller" {
}

private boolean function isRateLimited(required string ipAddress) {
var attempts = model("LoginAttempt").findAll(where="ip_address = '#ipAddress#' AND created_at > '#dateTimeFormat(dateAdd("n", -15, now()), "yyyy-MM-dd HH:nn:ss")#'");
var attempts = model("LoginAttempt").findAll(where="ip_address = :ipAddress AND created_at > :cutoff", params={ipAddress={value=ipAddress, cfsqltype="cf_sql_varchar"}, cutoff={value=dateTimeFormat(dateAdd("n", -15, now()), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}});
return attempts.recordCount >= 3;
}

Expand Down Expand Up @@ -919,7 +919,7 @@ component extends="app.Controllers.Controller" {
param name="params.email" default="";

try {
var user = model("User").findOne(where="email = '#params.email#'");
var user = model("User").findOne(where="email = :email", params={email={value=params.email, cfsqltype="cf_sql_varchar"}});

if (isObject(user)) {
// Generate reset token
Expand Down Expand Up @@ -971,7 +971,8 @@ component extends="app.Controllers.Controller" {

try {
var reset = model("PasswordReset").findOne(
where="token = '#params.token#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#' AND used = 0"
where="token = :token AND expiresAt > :now AND used = 0",
params={token={value=params.token, cfsqltype="cf_sql_varchar"}, now={value=dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}}
);

if (!isObject(reset)) {
Expand Down Expand Up @@ -1004,7 +1005,8 @@ component extends="app.Controllers.Controller" {
try {
// Validate token
var reset = model("PasswordReset").findOne(
where="token = '#params.token#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#' AND used = 0"
where="token = :token AND expiresAt > :now AND used = 0",
params={token={value=params.token, cfsqltype="cf_sql_varchar"}, now={value=dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss"), cfsqltype="cf_sql_timestamp"}}
);

if (!isObject(reset)) {
Expand Down
18 changes: 11 additions & 7 deletions app/controllers/web/BlogController.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,7 @@ component extends="app.Controllers.Controller" {
return Val(authorParam);
} else {
// Lookup user by username
var user = model("user").findOne(where = "username = '#arguments.authorParam#'");
var user = model("user").findOne(where = "username = :username", params={username={value=arguments.authorParam, cfsqltype="cf_sql_varchar"}});
if (IsObject(user)) {
return user.id;
} else {
Expand All @@ -374,7 +374,8 @@ component extends="app.Controllers.Controller" {
if (Len(Trim(searchTerm))) {
var searchPattern = "%#searchTerm#%";
var query = model("blog").findAll(
where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')",
where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}},
include = "User, PostStatus, PostType",
order = "publishedAt DESC",
page = page,
Expand All @@ -384,7 +385,8 @@ component extends="app.Controllers.Controller" {
if (isInfiniteScroll) {
totalCount = model("blog").count(
include = "User, PostStatus, PostType",
where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')"
where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}}
);
hasMore = (page * perPage) < totalCount;
isSearched = true;
Expand Down Expand Up @@ -619,7 +621,7 @@ component extends="app.Controllers.Controller" {

// Allow title change and check uniqueness
if (StructKeyExists(params, "title")) {
var existingBlog = model("Blog").findFirst(where = "title = '#params.title#' AND id != #blogId#");
var existingBlog = model("Blog").findFirst(where = "title = :title AND id != :blogId", params={title={value=params.title, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}});
if (IsObject(existingBlog)) {
result.success = false;
result.message = "A blog post with this title already exists.";
Expand Down Expand Up @@ -706,13 +708,15 @@ component extends="app.Controllers.Controller" {
);

if (StructKeyExists(form, "title")) {
var whereClause = "title = '#form.title#'";
var queryParams = {title={value=form.title, cfsqltype="cf_sql_varchar"}};
var whereClause = "title = :title";

if (StructKeyExists(form, "id") && IsNumeric(form.id) && form.id > 0) {
whereClause &= " AND id != #form.id#";
whereClause &= " AND id != :formId";
queryParams.formId = {value=form.id, cfsqltype="cf_sql_integer"};
}

var blogModel = model("Blog").findAll(where = whereClause);
var blogModel = model("Blog").findAll(where = whereClause, params = queryParams);

if (blogModel.recordCount != 0) {
renderText('<span class="text-danger">A blog already exists with this title!</span><input type="hidden" id="titleExists" value="1">');
Expand Down
Loading
Loading