So i am using the jQuery UI library to open new dialog windows, when the new dialog windows are opened I am passing some parameters like this
<a href="http://www.mysite.com/custompage.html?width=100&height=200¶m1=abc¶m2=http://www.anothersite.com¶m3=custom3">open modal</a>
The site works fine and no issues at all, my custompage.html just picks up those values that were passed and they are being used on the page, something like this:
var a = customfunctionget(param1); var b = customfunctionget(param2)....
I just received a report that we are vulnerable to Cross-Site Scripting attacks by replacing any of the params with something like this:
><script>alert(123)</script><param
Which I understand correctly what is supposed to happen but on any browser that I try to inject the script the alert is never displayed so the “script/injection” is not being processed, the custompage.html stops working as expected since we need the values to be entered correctly but there is nothing I can do on that respect.
Is there a magic pill that I am missing here? Most of the XSS information that I find does the same thing, try to inject an alert through a tag but other than me denying to display any content if the parameter is not well formed I dont know what else can be done.
Any recommendations, tutorials welcome.
One of the easiest things you can encode all
<,>, and&characters with<,>, and&, respectively. Whenever a browser sees a<something>it thinks its a dom element. If you encode those characters, the browser will actually display them. This will foil people trying to execute<script>badstuff</script>on your site.Note that people won’t be able to do things like add
<b>tags to things if you do this.The above suggestion is a first step, but is by no means exhaustive.
I just found this, which seems like a good guide.