php-notifications icon indicating copy to clipboard operation
php-notifications copied to clipboard

Published 20 hours ago verified publisher icon shahroznawaz

Cross site scripting persistant

Open tahriabd opened this issue 6 years ago • 3 comments

Hi,

$subject and $comments in insert.php are vulnerables to xss attack: a remote attacker could inject à malicious javascript to corrupt user for example: <script>alert(1)</script>

to correct this vulnerability you need to escape html characteres by

htmlentities($comments, ENT_QUOTES)

and htmlentites($subject, ENT_QUOTES)

https://www.acunetix.com/websitesecurity/cross-site-scripting/

tahriabd avatar Jan 07 '19 20:01 tahriabd

Great observation @tahriabd It would even be better to fix this using parameter binding. It is vital that code like yours is not published with those kinds of problems. Beginners will simply copy and paste it. https://www.php.net/manual/en/mysqli-stmt.bind-param.php

alexander-zierhut avatar Nov 08 '20 14:11 alexander-zierhut

I agree, The best way is to use prepare statement like pdo or framework symfony but here, it s just a quick fix for who want to test code. The quick fix proposed in commit on issue #5 is safe too

tahriabd avatar Nov 08 '20 15:11 tahriabd

Very true. But I guess this fill never be fixed / merged / updated on the website

alexander-zierhut avatar Nov 09 '20 02:11 alexander-zierhut