Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SOLVED: Stored Cross site Scripting in "Site Name EN" parameter #1
Vulnerability Name: Stored Cross-site Scripting in "Site Name EN*" Parameter
Vulnerable URL: http://localhost/peel-shopping_9_1_0/administrer/sites.php
Mitigation: the Entire site is Vulnerable to Cross-site scripting attacks input validation should be properly implemented
References for Mitigation Vulnerability: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Thanks for your report which is very clear and professional.
In this regard, this XSS is not a problem in itself. However, it is trus that it is not clean to allow HTML inside "Site Name EN" and we will change real_escape_string in the code into nohtml_real_escape_string in the database save of this information.
If you have any question on this matter, please feel free to discuss it further.
Thank you for the quick reply. Yeah, it is True. the admin has only had access to the administration module. however, input validation should be implemented in order to make secure. if possible use the htmlspecialchars() function when accepting input from the users this well encrypts the HTML tags such as <> to > and < you can see the reference link specified in the mitigation section for more details.
This is the example use of htmlspecialchars() in PHP
You can close this subject.