Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #11414

    I just received a warning from GoDaddy saying that using your theme opened my site up to cross-site scripting attacks.

    Here’s the info they sent. Please let me know how to proceed.

    Thank you.

    __________

    At this time, it does appear that your site is vulnerable to Cross-Site Scripting.

    You can see this by inserting this URL into your browser:

    http://whatagreatidea.com/blog/?s=%22%3E%3Cscript%3Ealert%2842%29%3C/script%3E

    In order to prevent this type of attack you will need to ensure that untrusted data is kept separate from browser content. The following is recommended:

    1. The best option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Unless your UI framework does this for you, your developers will need to include this escaping in your application.

    2. The use of positive or “whitelist” input validation with appropriate canonicalization (decoding) can also help to protect against XSS. Please note that this is not a complete defense as many applications will require special characters in their input.

    Additionally you can visit the site below for more information on preventing Cross Site Scripting.

    http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

    #71664

    Hi!

    Thank you for this notice. I marked this post for Kriesi’s attention.

    Regards,

    Peter

Viewing 2 posts - 1 through 2 (of 2 total)

The topic ‘GoDaddy sent Cross-Site Scripting Warning’ is closed to new replies.