Security issue - Cross Site scripting? |
[eluser]huzzi[/eluser]
Hi Guys! I'm running a website on CI 1.7.2, i've been told by a security expert that my site is vulnerable to scross site script as explained below. Quote:For the issue relating to More Comersus Cart, whether or not you are this is what's added to the source code. Code: <link rel="canonical" href="http://www.domain.com/scripts/backofficeplus/comersus_backoffice_supportError.asp?error=[removed]alert('XSS')<.html" /> [REMOVED]=SCRIPT My question is, is this something i should be concerned about? If so, what's the solution? Many thanks in advance. Huzzi
[eluser]WanWizard[/eluser]
YES! Never trust user input, no matter where it comes from. So that includes GET variables. XSS clean them.
[eluser]huzzi[/eluser]
[quote author="WanWizard" date="1299806013"]YES! Never trust user input, no matter where it comes from. So that includes GET variables. XSS clean them.[/quote] Thanks for your reply, on my config file I have $config['global_xss_filtering'] = TRUE; that should do the job isn't it? Thanks again.
[eluser]WanWizard[/eluser]
It should. But it depends on how you access your URL variables. And which CI version you use. |
Welcome Guest, Not a member yet? Register Sign In |