How to prevent cross-site-scripting and XSS?
How to prevent cross-site-scripting and XSS? We are getting messages from unknown users like the below: [ <img src=x onerror=prompt('xss by codejump');> <img src=x onerror=prompt(/securitytestin...
Forum Discussion
sateesh999, You can use auto-escaping and output formats for XSS in freemarker.
See guides in this link
https://freemarker.apache.org/docs/dgui_misc_autoescaping.html
Thank you, Prashanth.
I will check with the given guides in the below link and let you know if I need any help.
https://freemarker.apache.org/docs/dgui_misc_autoescaping.html
Regards,
Sateesh.
sateesh999 do you have any idea how these messages are posted? TinyMCE does not allow any inline JS eventhandlers, they get stripped... try to post your above code, it doesn't work... but maybe if you get these messages posted via API, they are not sanitized...just a suspicion...
luk ,
Thanks for your response,No Idea how they are posted the scripts into our community.
we thought that they are injected through the below steps-go to https://community.xxxxx.com and login
-Then click Start a "New Discussion"
-Now you can see the vulnerable area "Subject " put here XSS payload
"><img src=x onerror=prompt(/abdullah/)>
-And fill other random stuff and Post, And go All forum topics
-XSS executed
===============
And please let me know if they injected via API, Then how can we solve it?Regards,
Sateesh.
