Cross-site Scripting Attack Security Issue: Sanitize Input

4 posts by 2 authors in: Forums > CMS Builder
Last Post: March 26, 2014   (RSS)

By Damon - March 24, 2014

Hi clowden,

We take Cross-Site Scripting security very seriously here. We explicitly sanitize inputs in the CMS Builder admin panel, in code generated by the Code Generator for front end websites, and in code we post here on the forums for people to use in their front ends.

We'd like to check and make sure your client's not exposed. Can you provide us with more details on how to replicate these problems?

Please send in a Supoprt Request with details:
https://www.interactivetools.com/support/email_support_form.php?priority=free&message=http://www.interactivetools.com/forum/forum-posts.php?Cross-site-Scripting-Attack-Security-Issue-Sanitize-Input-79388

Don't post any sensitive details in the forum.
Thanks!

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By clowden - March 24, 2014

Damon,

Thanks for getting back to me. I did as you asked and filled out a Support Request with all of the information. 

By Damon - March 26, 2014

Hi,

Thanks for sending in the site details.

Chris reviewed both and updated the code to be secure. I will email you directly with the more details.

The main security issue for both was that you were accepting queries from the URL but not filtering them in any way.

When outputting variables that you are getting from the URL, add htmlspecialchars() to prevent someone from entering code and being able to execute it.

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/