Forum Discussion

sateesh999's avatar
sateesh999
Contributor
6 years ago

How to prevent cross-site-scripting and XSS?

How to prevent cross-site-scripting and XSS? We are getting messages from unknown users like the below: [ <img src=x onerror=prompt('xss by codejump');>  <img src=x onerror=prompt(/securitytestin...
  • luk's avatar
    luk
    Boss
    6 years ago

    sateesh999 do you have any idea how these messages are posted? TinyMCE does not allow any inline JS eventhandlers, they get stripped... try to post your above code, it doesn't work... but maybe if you get these messages posted via API, they are not sanitized...just a suspicion...

    • sateesh999's avatar
      sateesh999
      Contributor
      6 years ago

      luk ,


      Thanks for your response,

      No Idea how they are posted the scripts into our community.
      we thought that they are injected through the below steps

      -go to https://community.xxxxx.com and login

      -Then click Start a "New Discussion"

      -Now you can see the vulnerable area "Subject " put here XSS payload

      "><img src=x onerror=prompt(/abdullah/)>

      -And fill other random stuff and Post, And go All forum topics

      -XSS executed

      ===============
      And please let me know if they injected via API, Then how can we solve it?

       

      Regards,
      Sateesh.

       

      • luk's avatar
        luk
        Boss
        6 years ago

        sateesh999 I just tried your steps above and can't reproduce it, the input in the subject field gets HTML encoded, e.g. if I look at the source it is as below:

        		<h2 itemprop="name" class="message-subject">
			<span class="lia-message-read">
				
						<a class="page-link lia-link-navigation lia-custom-event" id="link_2" href="/t5/<boardid>/lt-img-src-x-onerror-prompt-alittlexss-gt/td-p/1326">
							&lt;img src=x onerror=prompt(/alittlexss/)&gt;
							
						</a>
					
			</span>
		</h2>

        - I posted trough /t5/forums/postpage/choose-node/true, is that the same URL for you where you see the behavior?

        - Is your "view all topics" page customized by you, e.g. do you aggregate the topics by yourself via API or are you using out of the box components?