Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

forms & cross scripting

 
Post new topic   Reply to topic    Smarty Forum Index -> Help Wanted (commercial)
View previous topic :: View next topic  
Author Message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 19

PostPosted: Tue Oct 31, 2017 2:09 pm    Post subject: forms & cross scripting Reply with quote

My sites have just failed a PCI scan, it seems this block of code is the problem :-

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>


Search results.tpl has this code :-
Code:

<h1 class="nbm">Search Results</h1>
                    <p class="stm">Found: {$search->mProductCount} results for the the search: <strong>{$search->mSearchString}</strong></p>
                    {if $search->mProducts}
                        <div class="product_list">
                            {section name=p loop=$search->mProducts}
                                <div class="pl_row clearfix">
                                    <div class="image">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
                                            <img src="{$smarty.const.SITE_ROOT}{$smarty.const.IMG_DIR}/thumbnails/{$search->mProducts[p].img}" alt="{$search->mProducts[p].title|escape:'htmlall'}"/>
                                        </a>
                                    </div>
                                    <div class="info">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
                                            <span class="title">{$search->mProducts[p].title|escape:'htmlall'}</span>
                                            <span class="code">CODE: {$search->mProducts[p].code|escape:'htmlall'}</span>
                                        </a>
                                    </div>
                                    <div class="price">
                                        {if $search->mProducts[p].special}<strong class="special">Special Offer</strong>{/if}
                                        {if $search->mProducts[p].newproduct}<strong class="new_product">New Product</strong>{/if}
                                        <strong class="prices"><span class="excl">&pound;{$search->mProducts[p].price}</span><span class="incl">(&pound;{$search->mProducts[p].price_inc} inc VAT)</span></strong>
                                    </div>
                                    <div class="view">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}"><i class="fa fa-search" aria-hidden="true"></i></a>
                                    </div>


The scan is saying the code is vulnerable to cross site scripting. These sites were completely new 6 months ago but I have no idea how to fix this. Can anyone assist? Thanks
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1127

PostPosted: Tue Oct 31, 2017 3:59 pm    Post subject: Reply with quote

XSS is your code issue, not Smarty.
Smarty only renders data into page. Not writing to databases or anything.
Back to top
View user's profile Send private message
bsmither
Smarty Pro


Joined: 20 Dec 2011
Posts: 131
Location: West Coast

PostPosted: Tue Oct 31, 2017 4:25 pm    Post subject: Reply with quote

My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.

Perhaps specifically:
Code:
value="{$smarty.request.search}"
Back to top
View user's profile Send private message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 19

PostPosted: Tue Oct 31, 2017 4:26 pm    Post subject: Reply with quote

Could this work??

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>
Back to top
View user's profile Send private message
bsmither
Smarty Pro


Joined: 20 Dec 2011
Posts: 131
Location: West Coast

PostPosted: Tue Oct 31, 2017 4:34 pm    Post subject: Reply with quote

Perhaps the best solution would be to instantiate some sort of sanitize/validate protocol in your PHP backend code.

To allow a search for words, then in PHP, remove characters not allowed, strip tags, etc, and only then, if desired, re-formulate the search terms back into a safe string to populate the "search" text box with what was searched prior.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1127

PostPosted: Wed Nov 01, 2017 1:56 pm    Post subject: Reply with quote

bsmither wrote:
My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.

Perhaps specifically:
Code:
value="{$smarty.request.search}"


Did you mean, they aren't mangled? If so, that's a good thing.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1127

PostPosted: Wed Nov 01, 2017 1:58 pm    Post subject: Reply with quote

drgl wrote:
Could this work??

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>


Why do you escape a known trusted variable but do not escape an unknown user input?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Help Wanted (commercial) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP