RegEx to find CFML tags nested in HTML tags

D

Dean H. Saxe

I'm currently developing a tool in perl to search out potential XSS
(Cross Site Scripting) vulnerabilities and correct them in a
ColdFusion based web app. I've been having great success so far,
however, one scenario has me banging my head against the wall.

I need a regex to find all <cfoutput ...>...</cfoutput> blocks in a
CFM template. The regex should find all such blocks that are *not*
nested within HTML tags (the tag itself, <cfoutput> blocks located
between an opening and closing tag are OK). In other words a tag that
looks like the following:

<link rel="<cfoutput>#directory#/foo.css</cfoutput>">

should be ignored by the regex.

I have tried this a number of ways, however, I have not ocme up with a
solution yet.

The basic RegEx to match the <cfoutput> block is:

$text =~ s/(<cfoutput[^>]*>.*?<\/cfoutput>)/process_cfoutput($1)/sige;

This of course doesn't provide the tag exclusion that I am looking
for.

The next RegEx finds the <cfoutput> block in the tag and continues
matching through the first <cfoutput> block it finds not nested in a
tag, returning too much data.

$text =~ s/(<cfoutput[^>]*>.*?<\/cfoutput>)(?=[^>]*(<|$))/process_cfoutput($1)/sige;

From this point forward I tried various lookaround constructs to limit
the scope of the match without any luck. Any help that can be offered
is greatly appreciated.


Thanks,
-dhs
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,831
Latest member
HealthSmartketoReviews

Latest Threads

Top