Magento Xss Prevention

Question

Is there any way to prevent xss attacks in magento? in my localhost i am just trying to check how to prevent xss attacks for example i am inserting a script when user register in magento, i am just shocked when inserting a whole script in the name field i am successfully registered my dashboard screenshot

after refreshing the page i got another screen

I just want to prevent the user that no one can do like that.

Please help me prevent that types of attacks.

Answer 1

Also, this may be a template problem. If your template doesn't properly escape user input, you end up with garbage in your database. I'm running 1.4.1.1 as well, but the input fields are filtered as follows:

<li class="wide">
    <label for="street_1" class="required"><em>*</em><?php echo $this->__('Street Address') ?></label>
    <div class="input-box">
        <input type="text" name="street[]" value="<?php echo $this->htmlEscape($this->getAddress()->getStreet(1)) ?>" title="<?php echo $this->__('Street Address') ?>" id="street_1" class="input-text required-entry" />
    </div>
</li>

The htmlEscape() function is supposed to take care of the nasties. On some templates, it was missing from search fields and you could get a verifiable XSS problem using it.

Answer 2

Upgrading to the most recent version of any product is the best way to prevent XSS attacks. Young web applications are notorious for not taking these things seriously at first.

If you upgrade to the most recent version of Magento and are still running into the problem, I'd

1. Notify the vendor about the problem

2. Add a global model save listener that strips out html tags from fields in the specific models where you've found problems.