1

My website http://www.imayne.com seems to have this issue, verified by MacAfee. Can someone show me how to fix this? (Title)

It says this:

General Solution:

When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

Ensure that parameters and user input are sanitized by doing the following:

  • Remove < input and replace with "&lt";
  • Remove > input and replace with "&gt";
  • Remove ' input and replace with "&apos";
  • Remove " input and replace with """;
  • Remove ) input and replace with ")";
  • Remove ( input and replace with "(";

    • I cannot seem to show the actual code. This website is showing something else.

    Im not a web dev but I can do a little. Im trying to be PCI compliant.

    Improve this question
    3
    • You need to program the solution - no one can show you how, especially as you have not provided the programming language and computing platform on your site. Commented Apr 25, 2011 at 17:06
    • Hi. All I know is that: Im using a wordpress theme, hosted with godaddy.com on a shared server (Apache), signed up for ssl and shopping cart plugin name "Shopp" and I use Paypal Pro Checkout. Commented Apr 25, 2011 at 17:14
    • Then there is no way you are going to be PCI compliant... Commented Apr 25, 2011 at 17:25

    3 Answers 3

    Reset to default
    2

    Let me both answer your question and give you some advice. Preventing XSS properly needs to be done by defining a white-list of acceptable values at the point of user input, not a black-black of disallowed values. This needs to happen first and foremost before you even begin thinking about encoding.

    Once you get to encoding, use a library from your chosen framework, don't attempt character substitution yourself. There's more information about this here in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS) (don't worry about it being .NET orientated, the concepts are consistent across all frameworks).

    Now for some friendly advice: get some expert support ASAP. You've got a fundamentally obvious reflective XSS flaw in an e-commerce site and based on your comments on this page, this is not something you want to tackle on your own. The obvious nature of this flaw suggests you've quite likely got more obscure problems in the site as well. By your own admission, "you're a noob here" and you're not going to gain the competence required to sufficiently secure a website such as this overnight.

    Improve this answer
    Sign up to request clarification or add additional context in comments.

    1 Comment

    Yes. This is basically a plugin issue (ecommerce plugin). I've contacted the support team and they are looking at it.
    1

    The type of changes you are describing are often accomplished in several languages via an HTML Encoding function. What is the site written in. If this is an ASP.NET site this article may help:

    http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

    In PHP use this function to wrap all text being output:

    http://ch2.php.net/manual/en/function.htmlentities.php

    Anyplace you see echo(...) or print(...) you can replace it with: 

    echo(htmlentities( $whateverWasHereOriginally, ENT_COMPAT));

    Take a look at the examples section in the middle of the page for other guidance.

    Improve this answer

    3 Comments

    Hi. I'd say php, since wordpress is mostly php. Am I correct?
    Hi, Trey, I dont want to sound stupid as Im not a web dev. Should I copy "string htmlentities ( string $string [, int $flags = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] )" and paste it somewhere in the header?
    @iMayne: Yes, PHP. Take a look at this: h-online.com/security/news/item/…
    0

    Follow those steps exactly, and you're good to go. The main thing is to ensure that you don't treat anything the user submits to you as code (HTML, SQL, Javascript, or otherwise). If you fail to properly clean up the inputs, you run the risk of script injection.

    If you want to see a trivial example of this problem in action, search for 

    <span style="color:red">red</span>

    on your site, and you'll see that the echoed search term is red.

    Improve this answer

    9 Comments

    Hi. When you say "search your site", what do you mean by that and how?
    Do you even own this site?!?? The search button is right there, in the top left hand corner...
    I was referring to searching your product catalog. Here's a direct link to what I had in mind.
    Thanks, Stevels. I thought I was to use some software to search. I do that.
    So, Stevevls, the outcome is that when I use the code to search, the result must no shows the actual colour?
    |

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.