Menu

Topic-icon Issues with XSS Tag stripping

  • philtx
  • philtx's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 months 3 weeks ago #6513 by philtx
Issues with XSS Tag stripping was created by philtx
I run a shoutbox on my website, and someone tried to post part of the Declaration of Independence, but I got a security alert for XSS tag stripping. I can't see what's wrong with the post, how would I fix this so a post like this is allowed?

Here's the text:

"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its fou

Here's the log title: Tags stripped from string (possible XSS attack) :[POST:jjshout]

Please Log in or Create an account to join the conversation.

More
2 months 3 weeks ago #6514 by Jose
Replied by Jose on topic Issues with XSS Tag stripping
Hi philtx,

Maybe the form adds the striped tags or the text includes an url (and you can't see it because the paypload is trimmed). Do you have this issue with all forms submitted or only with this?

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • philtx
  • philtx's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 months 3 weeks ago #6515 by philtx
Replied by philtx on topic Issues with XSS Tag stripping
I've had some work, some that get blocked in the same shoutbox. It seems very inconsistent.
The shoutbox is JJ Shoutbox (free version) from JoomJunk.
Component listed is com_ajax.

Please Log in or Create an account to join the conversation.

More
2 months 3 weeks ago #6516 by Jose
Replied by Jose on topic Issues with XSS Tag stripping
Can you please export the logs (there is a button to do that into logs) and attach them?

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • philtx
  • philtx's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 months 3 weeks ago - 2 months 3 weeks ago #6517 by philtx
Replied by philtx on topic Issues with XSS Tag stripping
Here they are (IP address/country info removed for security purposes).
Last edit: 2 months 3 weeks ago by Jose. Reason: Removed file

Please Log in or Create an account to join the conversation.

More
2 months 3 weeks ago #6518 by Jose
Replied by Jose on topic Issues with XSS Tag stripping
I have just downloaded the attachment and removed it.

After analysing it I don't see the pattern, but be fully sure there are html or php tags into the field. I'm going to download the extension to do some tests, but meanwhile you can add the component involved (com_ajax) as exception into the Xss filter.

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.058 seconds
Powered by Kunena Forum

Login or Sign In