Atozed Forums

Atozed Forums > Atozed Software Products > IntraWeb > English > IntraWeb General Discussion > Firefox cross-site scripting issue
Full Version: Firefox cross-site scripting issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

joelcc

10-27-2020, 04:24 PM
After blocking the above issue I had another finding and decided to block the <xss tag with

if (ContainsText(AParam, '<xss')) then
AllowIt := False;

Doing this stops the following:

https://somesite.com/providers/IsProvide...c%2fxss%3e

I guess it should be added to the list of things to block by default so I am posting it here?

joelcc

11-11-2020, 07:33 PM
I am adding to this thread so everyone has the final update.

Since there is a large list of the cross site scripting (see https://portswigger.net/web-security/cro...heat-sheet) that "according to the testing company" can be used against a website through parameters, I ended up blocking all of the parameters by the servercontroller->OnParseParameter. I then wrote code to handle the params that I did want to allow.

This passed the security audit checks so I am moving on.
Pages: 1 2
Atozed Forums > Atozed Software Products > IntraWeb > English > IntraWeb General Discussion > Firefox cross-site scripting issue