Potential vulnerability

[LyGilCo]

Hi everyone,
                  I have just had a message from a website user regarding a vulnerability with entered data. I am no expert on web security but what he says seems to make sense.

Excerpt from email:

I'd love to support the project and I have a couple of ideas for hardening the website. The picture attached to this email shows a simple js alert box popping up after I've submited a project with parameter Pro_Description equal to <script>alert(1)</script> This is a simple vuln on your website I saw there... I find the fact of data not being filtered when registering unsafe.

End excerpt

So as I see it - if someone enters <script> .. code .. </script>, then when someone views the page - the code is passed to their browser and executes.

The Webserver needs to filter out these statements (or do I need to do this manually - Yuk)

Cheers

Murray

[Bruce]

Hi Murray,

This technique goes by the rather fancy name of "HTML Injection".

By default NetTalk "encodes" form fields which the user enters, so that you can _see_ what they entered, but it doesn't _run_ what they entered.
In other words, by default, NetTalk is secure.

However, if you tick on the option "allow xHTML" for an entry field (and _specifically_ if you're not using the WYSIWYG HTML editor on the field) then NetTalk does not encode what the user enters.

Obviously if you want the user to add _some_ HTML, but not "bad" HTML, then you need to parse what they enter, and selectively remove stuff.

Cheers
Bruce