Cross_Site_Scripting Problem

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Cross_Site_Scripting Problem

Norbert Pfaff-2
Hi,

I have a field username in a form.

I save this field with something like  

[users]usrName:=_form{“name"}
Save record[users]

Now my customer (a town) has had a penetration-test and the folks which have done it say, there ist a problem when somebody writes in his username something like this:

xxx”><script>alert(‘xss in user’);</script>

Next time I open the user record, there ist then a Dialog with “xss in user”.

What is a easy way to check for characters not allowed?

Grüße/regards
Norbert
       

Norbert Pfaff
Hammelstalstr. 52
67098 Bad Dürkheim

Fon: 06322 9108028
Skype:    npfaff
eMail: [hidden email]



_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Cross_Site_Scripting Problem

Aparajita Fishman
To sanitize input against XSS, use https://github.com/cure53/DOMPurify <https://github.com/cure53/DOMPurify> on the client side, something like this:

        function submitForm() {
                var elements = document.form.elements;

                for (var i = 0; i < elements.length; i++) {
                        elements[i].value = DOMPurify.sanitize(elements[i].value);
                }

                return true;
        }

The other thing is to always use ‘html encode(value; *)’ when you are rendering database values. This converts any html special characters to html entities.

All the best,

  - Aparajita

> On Feb 22, 2018, at 3:15 AM, Norbert Pfaff <[hidden email]> wrote:
>
> Hi,
>
> I have a field username in a form.
>
> I save this field with something like  
>
> [users]usrName:=_form{“name"}
> Save record[users]
>
> Now my customer (a town) has had a penetration-test and the folks which have done it say, there ist a problem when somebody writes in his username something like this:
>
> xxx”><script>alert(‘xss in user’);</script>
>
> Next time I open the user record, there ist then a Dialog with “xss in user”.
>
> What is a easy way to check for characters not allowed?
>
> Grüße/regards
> Norbert
>
>
> Norbert Pfaff
> Hammelstalstr. 52
> 67098 Bad Dürkheim
>
> Fon: 06322 9108028
> Skype:    npfaff
> eMail: [hidden email]
>
>
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/