Home/ Questions/Q 8721317
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T07:12:06+00:00

Checking through my contact form I have found Cross Site Scripting vulnerabilities but haven’t

  • 0

Checking through my contact form I have found Cross Site Scripting vulnerabilities but haven’t enough knowledge on how to fix this.

Affected Parameter: name
Vector Used: “>alert(document.cookie)
Pattern found: \”>alert(document.cookie)
Complete Attack: /http://##################/contact.php [name=\”>alert(document.cookie) &email= &message=]

Affected Parameter: email
Vector Used: “>alert(document.cookie)
Pattern found: \”>alert(document.cookie)
Complete Attack: /http://##################/contact.php [name= &email=\”>alert(document.cookie) &message=]

Affected Parameter: message
Vector Used: “>alert(document.cookie)
Pattern found: \”>alert(document.cookie)
Complete Attack: /http://##################/contact.php [name= &email= &message=\”>alert(document.cookie)]

My current form code looks like this

<?php 
if (isset($_POST['submit'])) { 
    $error = ""; 

    if (!empty($_POST['name'])) { 
        $name = $_POST['name']; 
        if (!preg_match('/^[a-zA-Z0-9]+$/i', $name)){  
            $error .= "The name you entered is not valid. <br/>"; 
        } 
    } else { 
        $error .= "You didn't type in your name. <br />"; 
    } 

    if (!empty($_POST['email'])) { 
        $email = $_POST['email']; 
        if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){  
            $error .= "The e-mail address you entered is not valid. <br/>"; 
        } 
    } else { 
        $error .= "You didn't type in an e-mail address. <br />"; 
    } 

    if (!empty($_POST['messagesubject'])) { 
        $messagesubject = $_POST['messagesubject']; 
    } else { 
        $error .= "You didn't type in a subject. <br />"; 
    } 

    if (!empty($_POST['message'])) { 
        $message = $_POST['message']; 
    } else { 
        $error .= "You didn't type in a message. <br />"; 
    } 

    if(($_POST['code']) == $_SESSION['code']) {  
        $code = $_POST['code']; 
    } else {  
        $error .= "The captcha code you entered does not match. Please try again. <br />";     
    } 

    if (empty($error)) { 
        $from = 'From: ' . $name . ' <' . $email . '>'; 
        $to = "aaron@fosternetwork.co.uk"; 
        $subject = strip_tags("CWS - Contact Us - \n" . $messagesubject); 
        $content = strip_tags("Name: " . $name . "\nSubject: " . $messagesubject . "\nMessage: \n" . $message); 
        $success = "<h2>Thank you! <span>Your message has been sent!</span></h2>"; 
        mail($to,$subject,$content,$from); 
        $emailSent = true; 
    } 
} 
?>

Form

<form action="contact.php" method="post"> 

    <label>Name:</label> 
    <input type="text" name="name" value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>" /> 

    <label>Email:</label> 
    <input type="text" name="email" value="<?php if ($_POST['email']) { echo $_POST['email']; } ?>" /> 

    <label>Subject:</label> 
    <input type="text" name="messagesubject" value="<?php if ($_POST['messagesubject']) { echo $_POST['messagesubject']; } ?>" /> 

    <label>Message:</label><br /> 
    <textarea name="message" rows="20" cols="20"><?php if ($_POST['message']) { echo $_POST['message']; } ?></textarea> 

    <label>Please input the following code: <img src="captcha.php"></label> 
    <input type="text" name="code"> <br />  

    <button type="submit" class="colorButton" name="submit" value="Send message">Send Message</button> 

</form>

Any help is really appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your HTML generation has a flaw in it:

     value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>"

    You should always escape your output variables, i.e.:

     value="<?php if ($_POST['name']) { echo htmlspecialchars($_POST['name']); } ?>"

    See also: htmlspecialchars() or htmlentities()

    • 0