CodeCharge Studio
search Register Login  

Visual Web Reporting

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> PHP

 CCS PHP form validation and XSS security.

Print topic Send  topic

Author Message
oasisp

Posts: 43
Posted: 12/18/2019, 8:28 AM Quote message

I have few CCS forms(using Record Builder) having issue with security Scan getting High Risk on Cross-Site Scripting (XSS).
I had an individual inject JS alert showing that the my textbox on input had vulnerabilities.
I have done research on php XSS and found examples but for some reason I can't get them to work with CCS Form. how do implement on CCS form
I'm using PHP 7 and I am trying to implement htmlspecialchars() or filter_var for php xss

here i my example html form
<form action="{Action}" method="post" name="search">
<input type="text" name="q" value="search" />
<input type="submit" value="send" />
</form>

not sure how to use this code on CCS form to prevent Cross-Site Scripting (XSS). on Validation or before insert?
$input = htmlspecialchars($input, ENT_QUOTES);
filter_var($input, FILTER_SANITIZE_STRING);

View profile  Send private message
PCHome

Posts: 49
Posted: 12/29/2019, 8:19 PM Quote message

Doubt you�ll get much support as CodeCharge Studio seems all but defunct and I�ve never been able to get any sites to run on PHP 7.X. Since I run Linux now anyway and CCS doesn�t work with it, I�ve been manually reworking all my sites. Let�s see how long Yes Software leaves this reply as they seem to remove anything that speaks against them.
View profile  Send private message
datadoit


Posts: 6
Posted: 01/29/2020, 10:38 AM Quote message

This typically shouldn't be happening on CodeCharge forms, but I have seen it bypass built-in methods for preventing, particularly for open pages or forms (those without any login security).

If you do see this happening, in your form choose your text field, choose Events and then add Server -> On Validate -> Call Function:

Function Name: $Component->SetValue
Parameter 1: htmlentities($Container->myfield->GetValue(), ENT_QUOTES | ENT_HTML5, 'UTF-8')

View profile  Send private message
oasisp

Posts: 43
Posted: 01/29/2020, 1:30 PM Quote message

thanks. i will try it out.
View profile  Send private message
datadoit


Posts: 6
Posted: 01/30/2020, 11:05 AM Quote message

Also to protect you on the client side, in your record form, add Client -> On Submit -> Custom Code:

$('#myfield').val($('#myfield').val().replace(/(<([^>]+)>)/ig,""));
View profile  Send private message
oasisp

Posts: 43
Posted: 01/31/2020, 10:19 AM Quote message

awesome thanks
View profile  Send private message

Add new topic Reply to topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

PHP Reports

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.