This topic contains a post which is marked as Best Answer. Press here if you would like to see it.
*

Tango

  • ***
  • 60 posts
XSS vulnerability in URL custom fields
« on: September 05, 2021, 09:17:32 PM »
As you can see in the attached screenshot, the URL custom fields in v4.4.0 aren't sanitized, which could lead to a possible XSS attack.

Could we validate it directly in oc-includes/osclass/frm/Field.form.class.php ?

Thanks!

*

MB Themes

Re: XSS vulnerability in URL custom fields
« Reply #1 on: September 05, 2021, 10:02:23 PM »
@Tango
Thanks for feedback, will check it out ;)
  To get fast support, we need following details: Detail description, URL to reproduce problem, Screenshots

*

Tango

  • ***
  • 60 posts
Re: XSS vulnerability in URL custom fields
« Reply #2 on: September 07, 2021, 02:41:57 PM »
Please note that the Phone field has the same vulnerability, as you can see in the attached screenshot.

*

MB Themes

Re: XSS vulnerability in URL custom fields
« Reply #3 on: September 07, 2021, 03:57:14 PM »
@Tango
Thanks for feedback, we will review it.
  To get fast support, we need following details: Detail description, URL to reproduce problem, Screenshots

Marked as best answer by frosticek on September 09, 2021, 10:00:21 AM
*

MB Themes

Re: XSS vulnerability in URL custom fields
« Reply #4 on: September 09, 2021, 09:54:11 AM »
@Tango
Fields has been sanitized (URL, Phone) in item data & user data and will be available in osclass 4.5.
  To get fast support, we need following details: Detail description, URL to reproduce problem, Screenshots