Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

forms & cross scripting

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Help Wanted (commercial)
View previous topic :: View next topic  
Author Message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Tue Oct 31, 2017 2:09 pm    Post subject: forms & cross scripting Reply with quote

My sites have just failed a PCI scan, it seems this block of code is the problem :-

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>


Search results.tpl has this code :-
Code:

<h1 class="nbm">Search Results</h1>
                    <p class="stm">Found: {$search->mProductCount} results for the the search: <strong>{$search->mSearchString}</strong></p>
                    {if $search->mProducts}
                        <div class="product_list">
                            {section name=p loop=$search->mProducts}
                                <div class="pl_row clearfix">
                                    <div class="image">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
                                            <img src="{$smarty.const.SITE_ROOT}{$smarty.const.IMG_DIR}/thumbnails/{$search->mProducts[p].img}" alt="{$search->mProducts[p].title|escape:'htmlall'}"/>
                                        </a>
                                    </div>
                                    <div class="info">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}">
                                            <span class="title">{$search->mProducts[p].title|escape:'htmlall'}</span>
                                            <span class="code">CODE: {$search->mProducts[p].code|escape:'htmlall'}</span>
                                        </a>
                                    </div>
                                    <div class="price">
                                        {if $search->mProducts[p].special}<strong class="special">Special Offer</strong>{/if}
                                        {if $search->mProducts[p].newproduct}<strong class="new_product">New Product</strong>{/if}
                                        <strong class="prices"><span class="excl">&pound;{$search->mProducts[p].price}</span><span class="incl">(&pound;{$search->mProducts[p].price_inc} inc VAT)</span></strong>
                                    </div>
                                    <div class="view">
                                        <a href="{$smarty.const.SITE_ROOT}/{$search->mProducts[p].menulinktext}/{$search->mProducts[p].url}/?search={$search->mSearchString}"><i class="fa fa-search" aria-hidden="true"></i></a>
                                    </div>


The scan is saying the code is vulnerable to cross site scripting. These sites were completely new 6 months ago but I have no idea how to fix this. Can anyone assist? Thanks
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Tue Oct 31, 2017 3:59 pm    Post subject: Reply with quote

XSS is your code issue, not Smarty.
Smarty only renders data into page. Not writing to databases or anything.
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Tue Oct 31, 2017 4:25 pm    Post subject: Reply with quote

My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.

Perhaps specifically:
Code:
value="{$smarty.request.search}"
Back to top
View user's profile Send private message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Tue Oct 31, 2017 4:26 pm    Post subject: Reply with quote

Could this work??

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Tue Oct 31, 2017 4:34 pm    Post subject: Reply with quote

Perhaps the best solution would be to instantiate some sort of sanitize/validate protocol in your PHP backend code.

To allow a search for words, then in PHP, remove characters not allowed, strip tags, etc, and only then, if desired, re-formulate the search terms back into a safe string to populate the "search" text box with what was searched prior.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Wed Nov 01, 2017 1:56 pm    Post subject: Reply with quote

bsmither wrote:
My initial research into XSS suggests that their tests are showing that values of form elements are not getting sanitized/validated before ending up being seen on the next page.

Perhaps specifically:
Code:
value="{$smarty.request.search}"


Did you mean, they aren't mangled? If so, that's a good thing.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Wed Nov 01, 2017 1:58 pm    Post subject: Reply with quote

drgl wrote:
Could this work??

Code:
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/searchresults/">
    <input type="text" name="search" placeholder="Product Search" {if isset($smarty.request.search)}value="{$smarty.request.search}"{/if} /><button type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT|escape:'html':'UTF-8'}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="Product Code" /><button type="submit" name="submit" class="blue">Quick Add <i class="fa fa-shopping-cart" aria-hidden="true"></i></button>
</form>


Why do you escape a known trusted variable but do not escape an unknown user input?
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Help Wanted (commercial) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP