How to prevent cross-site-scripting and XSS?
How to prevent cross-site-scripting and XSS? We are getting messages from unknown users like the below: [ <img src=x onerror=prompt('xss by codejump');> <img src=x onerror=prompt(/securitytestin...
Forum Discussion
luk ,
Thanks for your response,
No Idea how they are posted the scripts into our community.
we thought that they are injected through the below steps
-go to https://community.xxxxx.com and login
-Then click Start a "New Discussion"
-Now you can see the vulnerable area "Subject " put here XSS payload
"><img src=x onerror=prompt(/abdullah/)>
-And fill other random stuff and Post, And go All forum topics
-XSS executed
===============
And please let me know if they injected via API, Then how can we solve it?
Regards,
Sateesh.
sateesh999 I just tried your steps above and can't reproduce it, the input in the subject field gets HTML encoded, e.g. if I look at the source it is as below:
<h2 itemprop="name" class="message-subject">
<span class="lia-message-read">
<a class="page-link lia-link-navigation lia-custom-event" id="link_2" href="/t5/<boardid>/lt-img-src-x-onerror-prompt-alittlexss-gt/td-p/1326">
<img src=x onerror=prompt(/alittlexss/)>
</a>
</span>
</h2>- I posted trough /t5/forums/postpage/choose-node/true, is that the same URL for you where you see the behavior?
- Is your "view all topics" page customized by you, e.g. do you aggregate the topics by yourself via API or are you using out of the box components?
sateesh999 did some more digging into this and came up with another question for you: How you you render/output that "view all topics"-component? Is it custom? And if so, is it rendered via JavaScript (Angular, jQuery, whatever) directly from the JSON of an API response?
