I've been informed, by a close friend (and internet security expert)

  • Profile Image
    Michael Wood
    Asked on May 13, 2011 at 01:01 PM

    I've been informed, by a close friend (and internet security expert), that the 'Contact Us' form on my website (www.rmxdp.co.uk) is open to XSS attacks. What can be done about it?


    I wanted to take the commercial option by paying, instead of taking the free option. But now, I'm not so sure.


    Yours, Michael - RMXDP.

  • Profile Image
    aytekin
    Answered on May 13, 2011 at 03:14 PM

    Can he make a XSS attack and show us what he means? Because it does not makes sense to me. Those attacks are made when you need to login to an account. On a simple contact form, exactly what do you attack? 

     

  • Profile Image
    Anon.
    Answered on May 13, 2011 at 03:36 PM

    User input is not being tag stripped.

  • Profile Image
    Anon.
    Answered on May 13, 2011 at 03:37 PM

    User input is not being tag stripped.

  • Profile Image
    NeilVicente
    Answered on May 14, 2011 at 12:02 AM

    @Anon.

    I've taken notice of that. I'm not sure though how that could be a problem. Submissions are displayed in the submissions page and reports anyway, so unless an individual has access to those submissions there is nothing good that they can get out of it.  But of course, a clever hacker with a twisted mind can probably find a way to use this vulnerability to his advantage. With that in mind, I have included these notes in the report ticket I submitted for this issue.

    Thank you for your input. We appreciate it.


    Neil