COMMUNITY FORUM

Keyword
  1. Forum
  3. K2 Community Forum
  5. English K2 Community
  7. Web Application Cross Site Scripting

Web Application Cross Site Scripting

  • Nate Edson
  • Nate Edson's Avatar Topic Author
  • Offline
  • New Member
More
14 years 6 months ago #82851 by Nate Edson
Web Application Cross Site Scripting was created by Nate Edson
So I installed K2 and got everything running and looking just the way I wanted and then this morning I get a security risk from my site scanner saying that K2 has a Web Application Cross Site Scripting vulnerability.  How can I get this corrected?Here is some Info from the Scanner:DescriptionThe remote web application appears to be vulnerable to cross-site scripting (XSS).The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input.The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.To identify what parts of your application are susceptible to cross-site scripting, click on "Detail" under the "Found On" section.General SolutionWhen accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.Ensure that parameters and user input are sanitized by doing the following:# Remove < input and replace with <# Remove > input and replace with ># Remove ' input and replace with '# Remove " input and replace with "# Remove ) input and replace with )# Remove ( input and replace with (

Please Log in or Create an account to join the conversation.

More
14 years 6 months ago #82852 by JoomlaWorks
Replied by JoomlaWorks on topic Web Application Cross Site Scripting
I guess you're referring to the comments system... We'll have a look, however so far we haven't had any reported issues. Thanks.
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)

Please Log in or Create an account to join the conversation.

  • Nate Edson
  • Nate Edson's Avatar Topic Author
  • Offline
  • New Member
More
14 years 6 months ago #82853 by Nate Edson
Replied by Nate Edson on topic Web Application Cross Site Scripting
I am not sure where it is coming from. If you would like a report with more details I can email you a pdf.

Please Log in or Create an account to join the conversation.

More
14 years 6 months ago #82854 by Lefteris
Replied by Lefteris on topic Web Application Cross Site Scripting
Hi. you don't need to worry about this. This is just an advise form the site scanner you are using. K2 does filter user input. Especially for comments K2 strips all HTML code. The next release of K2 will allow users to post some HTML in comments but it will passed through a safe HTML filter first. You are kindly requested to provide us with some more info on this report in order to figure out if it's referring to the comments system or to some other part of K2.
JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)

Please Log in or Create an account to join the conversation.

More
14 years 4 months ago #82855 by Steve Jonathan
Replied by Steve Jonathan on topic Web Application Cross Site Scripting
Hi Lefteris Kavadas,

When I can expect the next release of K2?

Any idea?

Kindly let me know.

Thank you.

Best,
Steve.
Custom Web Application Development

Please Log in or Create an account to join the conversation.

  1. Forum
  3. K2 Community Forum
  5. English K2 Community
  7. Web Application Cross Site Scripting

Powered by Kunena Forum