How to prevent cross-site-scripting and XSS?

Question

How to prevent cross-site-scripting and XSS?We are getting messages from unknown users like the below:[&lt;img src=x onerror=prompt('xss by codejump');&gt;&nbsp;&lt;img src=x onerror=prompt(/securitytesting/)&gt;]How to resolve this error?How to add error validations to the Rich text area of TinyMce editor?&nbsp;Thanks in advance,Sateesh.&nbsp;&nbsp;

parshant · Answer

sateesh999, You can use auto-escaping and output formats for XSS in freemarker.See guides in this linkhttps://freemarker.apache.org/docs/dgui_misc_autoescaping.html

sateesh999 · Answer

Thank you, Prashanth.I will check with the given&nbsp;guides in the below link and let you know if I need any help.https://freemarker.apache.org/docs/dgui_misc_autoescaping.html&nbsp;Regards,Sateesh.

luk · Answer

sateesh999&nbsp;do you have any idea how these messages are posted? TinyMCE does not allow any inline JS eventhandlers, they get stripped... try to post your above code, it doesn't work... but maybe if you get these messages posted via API, they are not sanitized...just a suspicion...

sateesh999 · Answer

luk&nbsp;,Thanks for your response,No Idea how they are posted the scripts into our community.we thought that they are injected through the below steps-go to https://community.xxxxx.com and login-Then click Start a "New Discussion"-Now you can see the vulnerable area "Subject " put here XSS payload"&gt;&lt;img src=x onerror=prompt(/abdullah/)&gt;-And fill other random stuff and Post, And go All forum topics-XSS executed===============And please let me know if they injected via API, Then how can we solve it?&nbsp;Regards,Sateesh.&nbsp;

luk · Answer

sateesh999&nbsp;I just tried your steps above and can't reproduce it, the input in the subject field gets HTML encoded, e.g. if I look at the source it is as below:		&lt;h2 itemprop="name" class="message-subject"&gt;
			&lt;span class="lia-message-read"&gt;
				
						&lt;a class="page-link lia-link-navigation lia-custom-event" id="link_2" href="/t5/&lt;boardid&gt;/lt-img-src-x-onerror-prompt-alittlexss-gt/td-p/1326"&gt;
							&amp;lt;img src=x onerror=prompt(/alittlexss/)&amp;gt;
							
						&lt;/a&gt;
					
			&lt;/span&gt;
		&lt;/h2&gt;- I posted trough&nbsp;/t5/forums/postpage/choose-node/true, is that the same URL for you where you see the behavior?- Is your "view all topics" page customized by you, e.g. do you aggregate the topics by yourself via API or are you using out of the box components?

Forum Discussion

How to prevent cross-site-scripting and XSS?

Related Content

Custom forms and XSS

Prevent Some Subscription Notification Emails

Khoros Cookies Datasheet (Community, Care, Marketing, Khoros Bot)

Valid And Invalid Severity 1 Examples

Preventing all skin CSS from loading

Recent Discussions

Madehgshhhhhhhhhhhhhhhhhh

Connecting Khoros data to CRM (Salesforce)

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?