Osclass Support Forums

General osclass questions => Report bug => Topic started by: Tango on September 05, 2021, 09:17:32 PM

Title: XSS vulnerability in URL custom fields
Post by: Tango on September 05, 2021, 09:17:32 PM

As you can see in the attached screenshot, the URL custom fields in v4.4.0 aren't sanitized, which could lead to a possible XSS attack.

Could we validate it directly in oc-includes/osclass/frm/Field.form.class.php ?

Thanks!

Title: Re: XSS vulnerability in URL custom fields
Post by: MB Themes on September 05, 2021, 10:02:23 PM

@Tango
Thanks for feedback, will check it out ;)

Title: Re: XSS vulnerability in URL custom fields
Post by: Tango on September 07, 2021, 02:41:57 PM

Please note that the Phone field has the same vulnerability, as you can see in the attached screenshot.

Title: Re: XSS vulnerability in URL custom fields
Post by: MB Themes on September 07, 2021, 03:57:14 PM

@Tango
Thanks for feedback, we will review it.

Title: Re: XSS vulnerability in URL custom fields
Post by: MB Themes on September 09, 2021, 09:54:11 AM

@Tango
Fields has been sanitized (URL, Phone) in item data & user data and will be available in osclass 4.5.