Where the heck is InvalidTag coming from?

coldfusion (This post is more than 2 years old.)

I've gotten this question many times so I thought I'd write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things.

Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

This is a feature that helps prevent cross-site scripting attacks. Personally I don't use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:

Settings Page

So - raise your hand if you've seen this and had no idea what it was!

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Mike Nimer posted on 1/6/2007 at 9:39 AM

And the string "invalidTag" is defined in the neo-security.xml as well as the regex pattern used to check for scripting hacks.

<code>
<var name="CrossSiteScriptPatterns">
<struct type="coldfusion.server.ConfigMap">
<var name="&lt;\s*(object|embed|script|applet|meta)">
<string>&lt;InvalidTag</string>
</var>
</struct>
</var>
</code>

Comment 2 by DK posted on 1/6/2007 at 6:37 PM

theres currently a secunia vulnerability listed for the cross site scripting feature as well. It was entered on 12 Dec 06 and is said to allow you to get around the feature.

http://secunia.com/advisori...

Comment 3 by Stefan posted on 1/7/2007 at 4:53 AM

Might this be what the latest hotfix (2006-11-30) fixes?
"64586 Hot fix to resolve a possible cross-site scripting (XSS) vulnerability in ColdFusion's handling of forms."
http://www.adobe.com/cfusio...

Comment 4 by Ryan Everhart posted on 1/8/2007 at 9:49 PM

Ray,
Thanks for the post, I've been having this issue on my codeShare site (http://codeshare.everfro.com, shameless plug). When users submit code with JS in it the script tag gets replaced with InvalidTag. Hopefully this will help me with my issue.

Ryan

Comment 5 by Hari posted on 5/21/2007 at 11:40 PM

Thanks for the post, it helped me to resolve the <InvalidTag issue that I faced.

Comment 6 by Brandon posted on 6/3/2008 at 10:47 PM

Is there any way to get around this? I am working on a site that is on a shared server, and they have enabled it in the cf administrator (and won't allow it to be overridden in Application.cfc). The client needs to be able to embed flash and object files, as well as edit meta tags, but those are all rendered "invalid".

Comment 7 by Raymond Camden posted on 6/4/2008 at 12:33 AM

What do they mean they won't allow you? They will kick you off the server? Nothing in CF prevents you from turning it off in App.cfc.

Unfortunately I think you are out of luck. I'd change hosts.

Comment 8 by ColdFusion developer posted on 6/7/2008 at 2:22 PM

Hi guys - I have a workaround for the problem you're mentioning.

<a href="http://www.beetrootstreet.c...">http://www.beetrootstreet.c...

It basically uses onRequestEnd.cfm to re-write the SCRIPT tags. It can also be adapted to work in an Application.cfc environment.

Hope it helps.

Martin

Comment 9 by ColdFusion developer posted on 6/7/2008 at 2:22 PM

Seems the URL didn't insert properly. Try again..

http://www.beetrootstreet.c...

Martin

Comment 10 by Russ posted on 9/28/2009 at 5:58 PM

for some reason disabling it in the application.cfm doesn't work, you have to disable it in the cfadmin.

Comment 11 by Raymond Camden posted on 9/28/2009 at 6:01 PM

I believe you are wrong Russ. The CFAPP can always overrule the CF Admin. I'd check again.

Comment 12 by Russ posted on 9/28/2009 at 6:35 PM

My blogcfc has and always has had scriptrotect="none" in the cfapplication, it makes no difference, only disabling script protection in the cfadmin solves the problem. I will humor your telling me to check again and post the code here for you.

<cfapplication name="#prefix#_blog_#blogname#" sessionManagement="true" loginStorage="session" scriptprotect="none">

Comment 13 by Raymond Camden posted on 9/28/2009 at 6:38 PM

Is caching turned on in the CF Admin? I mean trusted cache.

Comment 14 by TimD posted on 2/12/2010 at 5:54 AM

Thank you Thank you. I was stumped where this was coming from.

Comment 15 by ThutMose posted on 3/4/2010 at 12:27 AM

Ray,
I've run into the same issue that Russ did. Going to do some further testing, but with global script protect on the override in the cfapplication doesn't seem to get picked up or its not allowed. A little odd. I believe blogCFC comes out of the box that way. I've cleared the template cache just to be sure but the issue persists.

Comment 16 by Raymond Camden posted on 3/4/2010 at 12:29 AM

That seems odd. I've never seen the template get overridden by the server setting before. Please let me know what you find.

Comment 17 by Frank Gerritse posted on 5/3/2010 at 5:39 PM

Hi Raymond.

I have the same problem with this page http://www.4sixsix.nl/page....
See the source of this page. I have put scriptprotect="false" in the application file but nothing happen.
I have e-mail the support desk of hostek.com to see if there is something changed on the server.
This happend after an update of this page last week. Before that the youtube movies are show correct on the page ?

Comment 18 by Raymond Camden posted on 5/5/2010 at 12:43 AM

Sorry for the delay. Not sure what to tell you. Can you show me the code (ie, where you put in script protect). Also check to ensure your host doesn't have trusted cache turned on.

Comment 19 by anonymous posted on 7/7/2010 at 4:42 AM

Maybe help some folks who have been having trouble...

Depending on your version, the string "False" may NOT equivalent to the boolean operator False. The string "No", however, IS equivalent.

Trying writing:
scriptProtect = false

OR:
scriptProtect = "No"

Do not write:
scriptProtect = "false"

That might solve some of the problems for some of the people out there.

Comment 20 by Bill posted on 2/8/2011 at 5:50 PM

I'd like to have the script protection on, but it messes up the HTML Editor in the CMS for my site. Any recommendations?

Comment 21 by Raymond Camden posted on 2/8/2011 at 5:59 PM

Since you can only turn it off and on at the Application or server level, you are out of luck. You would need to do the protection manually.

Comment 22 by Bill posted on 2/8/2011 at 6:19 PM

Ah - I thought so. I don't suppose you have a handy 'how-to' posted somewhere do you? :-) Thanks.

Comment 23 by Raymond Camden posted on 2/8/2011 at 8:55 PM

Perhaps: http://portcullis.riaforge....

Comment 24 by Brian Polackoff posted on 4/8/2015 at 6:40 PM

Raymond, Thanks as always for your posts! Years later they are still helping folks out there like me!

Comment 25 (In reply to #24) by Raymond Camden posted on 4/8/2015 at 6:48 PM

Glad to help!

Comment 26 (In reply to #8) by Charlie Arehart posted on 9/13/2018 at 11:08 PM

In case anyone else may come across this in the future, the URL that was attempted to be shared above got botched. And then the beetrootstreet blog is no longer is working (as I checked it), but I found the post with his interesting solution here via the good ol' "internet wayback machine" (archive.org), here:

http://web.archive.org/web/...

I haven't tried the code, but I can confirm that like others above (even on CF2018), I could not seem to get the scriptprotect="none" (in application.cfm or cfc) to override the global Admin scriptprotect setting. Would love to find that better solution (or for Adobe to fix this). But until then perhaps the code in the blog post above may help someone (I just turned off the global scriptprotect, as I have FuseGuard and other WAFs protecting me).

Comment 27 (In reply to #26) by Raymond Camden posted on 9/14/2018 at 1:48 PM

Thanks for the update Charlie.