2 replies to this topic

[gregNwt]

I am getting a cross site scripting vulnerability message on my hacker-safe scans.

The only file that seems to be in error is the advances_search.php file that show the problem.

Can anyone advise where to start looking at making the advance_search.php file not show up as a problem for the PCI complience scans. (due to the cross site scripting problem ) ?

[Java Roasters]

Here is a contribution that was started for the contact us form and has been added to include lots of other. It is very easy and can be fixed into your advanced search. What version are you of osC are you using?

http://addons.oscommerce.com/info/2976


You might want to also add

http://addons.oscommerce.com/info/5752

Edited by Java Roasters, 14 March 2008, 14:00.

[gregNwt]

Thanks very much for the reply.

Im using osCommerce 2.2-MS2 with SEO-Urls, Pricebreaks, Header-Tags, css-menus ..... and a few others too I guess

I will look at patching the call to the tep_draw_textarea_field

as per the example.
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>
change it to show:
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15, tep_sanitize_string($_POST['enquiry']), '', false); ?></td>
from http://addons.oscommerce.com/info/2976

Java Roasters, on Mar 15 2008, 12:57 AM, said:

Here is a contribution that was started for the contact us form and has been added to include lots of other. It is very easy and can be fixed into your advanced search. What version are you of osC are you using?

http://addons.oscommerce.com/info/2976
You might want to also add

http://addons.oscommerce.com/info/5752