I use SSL on my customer account pages and checkout. I removed these programs mentioned above and installed another form processor but that didn't work either. So now I'm trying Magento's native form processing. But the scan keeps finding something wrong. Just three things but unless I can fix them I can't be PCI complaint. A couple things I removed like page tracker, which isn't a form but the scan says it's vulnerable to injection. Yes, most of my security issues seem to be with forms that only collect name and email address.
I don't keep credit card information but I would like to because I always thought it was nice on a second purchase not to have to re-enter credit card info. But it's not real important but might be a convenience to the customer. It's not really to secure the customers email address (although that would be ideal) but to I guess protect the whole site form some kind of XSS attack.
Anyway, it looks like I'm suppose to change my form (and any other place) with what appears to be html entities. Like change <input ... to <input ... but that doesn't work. When I do that it displays the input on the page as text. So now it seems what I need is some kind of script that does "search and replace?!"
For an example here's one place the scan says is vulnerable:
<meta property="og:url" content="<?php $url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; echo $url; ?>" />
It took me a long time to figure the code for that! Now McAfee says it's vulnerable. It doesn't appear to be related to a form. It's so when people "Like" a product it will create a link straight to that product page and not just to the home page.