How to fix XSS in website in url ? Magento 1
-
14-04-2021 - |
Frage
I can see that browsing url like this
https://www.anywebsite.com/?p=%3Cscript%3Ealert(document.cookie)%3C/script%3E
shows alert into browser window.
Is their any way to prevent it ? its XSS.
Lösung
As mentioned in the comments
I can confirm that by default this doesn't happen. I can conclude that this has something to do with tour custom code. I assume that p parameter is paging for something and I assume it should be an integer. Change your code that reads this parameter and convert it to int. Or better yet, if you are printing it somewhere make sure you escape the values (stip_tags for example if you don't want tags in there)
If the script tag is not printed anywhere, this means that it is escaped somehow and you are safe from XSS
Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit magento.stackexchange