we ran a pen test on our site and found that a user can submit a Test<script>console.log(5)</script> via a form field. below are all the details. We are trying to find a way to prevent any html tags from being summited
--------------
Some of the data entered in these forms was rendered by the dashboard area of the application at the following URL:
hidden link
The company information pages also rendered various inputs that were entered in these forms. An example of a company information page that was generated during the assessment was:
hidden link
Both of these areas of the application were vulnerable to cross-site scripting because they failed to properly encode or sanitise field contents prior to rendering.
As a proof-of-concept, Rootshell submitted the following in the hidden field named input_21 of the first form ("General Business Questions"):
Test<script>console.log(5)</script>
After submitting this request and visiting the dashboard at the "smes-listing" URL, the number 5 was written to the JavaScript console, demonstrating that the injected JavaScript was rendered and executed by the web browser.
Hi,
Thank you for contacting us and I'd be happy to assist.
I've performed some tests on my website with Toolset Forms and it automatically excludes the script tags (<script> & </script>), from the form's processing as well as from the data saved in the database. The tests covered the post title, single line, multiple lines, WYSIWYG, and hidden generic fields.
Can you please check if this report is for the forms added using the Toolset Forms? I tried to view those forms, but, it seems you need to be logged in to access them.
The field naming convention "input_21" suggests that it could be a form from the Gravity Form plugin. In that case, it would be best to consult and report this to their official support team.
regards,
Waqar
