SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Mar 2008
    Location
    Sterling, CO
    Posts
    275
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    WebApp Cross Site Scripting found in Non-200 responses

    McAfee PCI scan says there is a Cross Site vulnerability with this code:

    PHP Code:
     <input type="hidden" name="referer" value="<?php echo Mage::helper('core/url')->getCurrentUrl() ?>" />
    and also with this code:

    PHP Code:
    <meta property="og:url" content="<?php $url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; echo $url?>" />
    A little intructions from McAfee has this:

    When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

    Ensure that parameters and user input are sanitized by doing the following:
    Remove < input and replace with &lt;
    Remove > input and replace with &gt;
    Remove ' input and replace with &apos;
    Remove " input and replace with &#x22;
    Remove ) input and replace with &#x29;
    Remove ( input and replace with &#x28;


    I have tried to replace some characters but they don't work.

    How does one go about fixing these issues?

    Thanks

  2. #2
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Wrap your echo in htmlentities using the ENT_QUOTES option.

  3. #3
    SitePoint Addict
    Join Date
    Mar 2008
    Location
    Sterling, CO
    Posts
    275
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It appears this line of code wasn't the problem but a from I was working on.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •