possible xss attempt with an order?

would it be possible for fc to look at an order that came in that has what looks like xss attempt code within the name and address fields?

the order number is 1342420345

You can clearly see the extra script tags in the fields, but I am unsure of a number of things:

1) assume fc protects against this? both on the server and client end from executing malicious code?
2) What causes this to happen? is the page (server) infected or the customers (client) machine?
3) can tags just be stripped away? I know twig does not by default allow raw html, but why even print tags in fields at all? since I'm using custom templates I could add the twig striptags filter if you guys allow that filter?
4) mainly I'd like to ensure we're not exposing any vulnerabilities that could cause any potential harm to customers, and even if an attempt was made (and failed) from the clients machine that we cannot control, it would be good not to return that attempt back to them in a receipt or email, but just let the attempt fail silently.

thank you!



Comments
  • brettbrett FoxyCart Team
    Hi @freshjones. Thanks for bringing this to our attention. We've actually got an improvement pending. There's no XSS risk within Foxy itself (we've tested this specific attack recently to confirm), but the improvement we'll be making is to sanitize the data a bit more, just in case external integrations don't sanitize data properly.
Sign In or Register to comment.