would it be possible for fc to look at an order that came in that has what looks like xss attempt code within the name and address fields?
the order number is 1342420345
You can clearly see the extra script tags in the fields, but I am unsure of a number of things:
1) assume fc protects against this? both on the server and client end from executing malicious code?
2) What causes this to happen? is the page (server) infected or the customers (client) machine?
3) can tags just be stripped away? I know twig does not by default allow raw html, but why even print tags in fields at all? since I'm using custom templates I could add the twig striptags filter if you guys allow that filter?
4) mainly I'd like to ensure we're not exposing any vulnerabilities that could cause any potential harm to customers, and even if an attempt was made (and failed) from the clients machine that we cannot control, it would be good not to return that attempt back to them in a receipt or email, but just let the attempt fail silently.