1.1.0 Failed XSS Test #563
Comments
|
Looking at this a bit more, I wonder if the Form's Action param could simply not be populated on the "Page not found" page? As I'm going down the list of all the URLs which where "compromised" they're all resulting in the "We Can't Find That Page" message. |
|
FYI, I tried setting the "404 Page" in the Site Details yesterday to see if that would pass the XSS test, but it did not. |
treyhendon
added a commit
to treyhendon/Rock
that referenced
this issue
Oct 22, 2014
Set the form action to be "/" so that non-escaped text is not present in the action param. Issue SparkDevNetwork#563
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following URL shows an unescaped form action which is causing XSS Failure leading to PCI Compliance failure.
https://nhadmin.oakhillschurch.com///data:_;;;:;base64_______,PHNDcklwdCA+cHJvbXB0KDk0OTY4Nyk8IC9TY1JpcFQ+
Here is the opening form tag:
form method="post" action="data:;;;:;base64______,PHNDcklwdCA+cHJvbXB0KDk0OTY4Nyk8IC9TY1JpcFQ+?404%3bhttps%3a%2f%2fnhadmin.oakhillschurch.com%3a443%2fdata%3a_%3b%3b%3b%3a%3bbase64_______%2cPHNDcklwdCA+cHJvbXB0KDk0OTY4Nyk8IC9TY1JpcFQ+" id="form1"
The text was updated successfully, but these errors were encountered: