oasisp
Posts: 48
|
Posted: 12/18/2019, 8:28 AM |
|
I have few CCS forms(using Record Builder) having issue with security Scan getting High Risk on Cross-Site Scripting (XSS).
I had an individual inject JS alert showing that the my textbox on input had vulnerabilities.
I have done research on php XSS and found examples but for some reason I can't get them to work with CCS Form. how do implement on CCS form
I'm using PHP 7 and I am trying to implement htmlspecialchars() or filter_var for php xss
here i my example html form
<form action="{Action}" method="post" name="search">
<input type="text" name="q" value="search" />
<input type="submit" value="send" />
</form>
not sure how to use this code on CCS form to prevent Cross-Site Scripting (XSS). on Validation or before insert?
$input = htmlspecialchars($input, ENT_QUOTES);
filter_var($input, FILTER_SANITIZE_STRING);
|
|
|
PCHome
Posts: 57
|
Posted: 12/29/2019, 8:19 PM |
|
Doubt you�ll get much support as CodeCharge Studio seems all but defunct and I�ve never been able to get any sites to run on PHP 7.X. Since I run Linux now anyway and CCS doesn�t work with it, I�ve been manually reworking all my sites. Let�s see how long Yes Software leaves this reply as they seem to remove anything that speaks against them.
|
|
|
datadoit
Posts: 7
|
Posted: 01/29/2020, 10:38 AM |
|
This typically shouldn't be happening on CodeCharge forms, but I have seen it bypass built-in methods for preventing, particularly for open pages or forms (those without any login security).
If you do see this happening, in your form choose your text field, choose Events and then add Server -> On Validate -> Call Function:
Function Name: $Component->SetValue
Parameter 1: htmlentities($Container->myfield->GetValue(), ENT_QUOTES | ENT_HTML5, 'UTF-8')
|
|
|
oasisp
Posts: 48
|
Posted: 01/29/2020, 1:30 PM |
|
thanks. i will try it out.
|
|
|
datadoit
Posts: 7
|
Posted: 01/30/2020, 11:05 AM |
|
Also to protect you on the client side, in your record form, add Client -> On Submit -> Custom Code:
$('#myfield').val($('#myfield').val().replace(/(<([^>]+)>)/ig,""));
|
|
|
oasisp
Posts: 48
|
Posted: 01/31/2020, 10:19 AM |
|
awesome thanks
|
|
|
|