View previous topic :: View next topic |
Author |
Message |
drgl Smarty Rookie
Joined: 06 Oct 2017 Posts: 26
|
Posted: Tue Oct 31, 2017 2:09 pm Post subject: forms & cross scripting |
|
|
My sites have just failed a PCI scan, it seems this block of code is the problem :-
Code: | <form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/">
<input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php">
<input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form> |
Search results.tpl has this code :-
Code: |
<h1 class="nbm">Search Results</h1>
<p class="stm">Found: {$search->mProductCount} results for the the search: <strong>{$search->mSearchString}</strong></p>
{if $search->mProducts}
<div class="product_list">
{section name=p loop=$search->mProducts}
<div class="pl_row clearfix">
<div class="image">
<a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
<img src="{$smarty.const.SITE_ROOT}{$smarty.const.IMG_DIR}/thumbnails/{$search->mProducts[p].img}" alt="{$search->mProducts[p].title|escape:'htmlall'}"/>
</a>
</div>
<div class="info">
<a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
<span class="title">{$search->mProducts[p].title|escape:'htmlall'}</span>
<span class="code">CODE: {$search->mProducts[p].code|escape:'htmlall'}</span>
</a>
</div>
<div class="price">
{if $search->mProducts[p].special}<strong class="special">Special Offer</strong>{/if}
{if $search->mProducts[p].newproduct}<strong class="new_product">New Product</strong>{/if}
<strong class="prices"><span class="excl">£{$search->mProducts[p].price}</span><span class="incl">(£{$search->mProducts[p].price_inc} inc VAT)</span></strong>
</div>
<div class="view">
<a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}"><i class="fa fa-search" aria-hidden="true"></i></a>
</div>
|
The scan is saying the code is vulnerable to cross site scripting. These sites were completely new 6 months ago but I have no idea how to fix this. Can anyone assist? Thanks |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Tue Oct 31, 2017 3:59 pm Post subject: |
|
|
XSS is your code issue, not Smarty.
Smarty only renders data into page. Not writing to databases or anything. |
|
Back to top |
|
bsmither Smarty Elite
Joined: 20 Dec 2011 Posts: 322 Location: West Coast
|
Posted: Tue Oct 31, 2017 4:25 pm Post subject: |
|
|
My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.
Perhaps specifically: Code: | value="{$smarty.request.search}" |
|
|
Back to top |
|
drgl Smarty Rookie
Joined: 06 Oct 2017 Posts: 26
|
Posted: Tue Oct 31, 2017 4:26 pm Post subject: |
|
|
Could this work??
Code: | <form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
<input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
<input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>
|
|
|
Back to top |
|
bsmither Smarty Elite
Joined: 20 Dec 2011 Posts: 322 Location: West Coast
|
Posted: Tue Oct 31, 2017 4:34 pm Post subject: |
|
|
Perhaps the best solution would be to instantiate some sort of sanitize/validate protocol in your PHP backend code.
To allow a search for words, then in PHP, remove characters not allowed, strip tags, etc, and only then, if desired, re-formulate the search terms back into a safe string to populate the "search" text box with what was searched prior. |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Wed Nov 01, 2017 1:56 pm Post subject: |
|
|
bsmither wrote: | My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.
Perhaps specifically: Code: | value="{$smarty.request.search}" |
|
Did you mean, they aren't mangled? If so, that's a good thing. |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Wed Nov 01, 2017 1:58 pm Post subject: |
|
|
drgl wrote: | Could this work??
Code: | <form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
<input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
<input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>
|
|
Why do you escape a known trusted variable but do not escape an unknown user input? |
|
Back to top |
|
|