...

View Full Version : Cross Site Scripting Help



rfresh
04-09-2011, 05:32 AM
My website failed a PCI scan because of cross site scripting. The report gave an example of the code:



http://www.mywebsite.com:80/?<SCRIPT>foo</SCRIPT>


I don't understand how to code against this security failure. My site has an index.php file so I'm assuming I have to add some code in that file since the domain URL defaults to using that file.

I have a sanitize function being used on all the fields coming from the index.php file already. But I guess I'm still missing something.

Thanks for any help...

_Aerospace_Eng_
04-09-2011, 05:38 AM
Do you allow anything to be passed through the query string?

rfresh
04-09-2011, 05:47 AM
Well, I have some of the fields passing data thru but they are run thru my sanitize function so I think they are ok. I guess I'm a bit puzzled about that Foo argument and how to detect/filter it? So I guess I don't know how to filter arguments that not coming from my fields. Something is just not connecting in my brain.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum