help desk
In general all datas from an external source should be handle with care.
These could be use for XSS (https://en.wikipedia.org/wiki/Cross-site_scripting)
An example of an XSS is the following code:
cgidata = cgidata(); cgidata.problem;
if you call this page with this code:
page?problem=<svG%2Fonload%3Dalert(document.cookie)>
You will force the browser to execute this Javascript
If you want to display cgidata.problem use the following code:
esc(filter:"html", cgidata.problem);
If your data is expecting to get page number, make sure it's numeric
As an example the following code which display the current page is posing problem:
<a href="page.sn?page=">url</a> If this page is called with the following URL, page is not validated. page.sn?page=10"><script>alert(document.cookie)</script>&kw=
In this case you could make sure that page is numeric or use the following code to validate the URL:
<a href="page.sn?page=">url</a>
Replied on: 2022-01-12 13:37:00