Forums

Hello!
Checked my forms with the program Acunetix Web Vulnerability Scanner...
A large degree of XSS attack was detected.
Message of programm:
A malicious code can be placed on a row that runs on the page.
The code for this line is here MySite\administrator\components\com_chronoforms5\chronoforms\actions\html\html.php in line 277.

$form_action = (strlen($config->get('action_url', '')) > 0) ? $config->get('action_url', '') : \GCore\Libs\Url::buildQuery($current_url, array('chronoform' => $form->form['Form']['title'], 'event' => $config->get('submit_event', 'submit')));

I can not determine the place where to make a patch (to filter the data) to prevent an attack.
Help, please!

The whole head broke.
The problem was temporarily decided as follows:

To file MySite\libraries\cegcore\libs\url.php In line 126 after:

public static function buildQuery($path, $params = array()){

Added a new line with the code:

$path=strip_tags(htmlspecialchars($path));

The result is as follows (from line 126):

public static function buildQuery($path, $params = array()){
		$path=strip_tags(htmlspecialchars($path));
		if(empty($params)){
			return $path;
		}
		$url_params = array();
		if(strpos($path, '?') !== false){
			$path_pcs = explode('?', $path);
			$path_comps = parse_url($path);
			$query = $path_comps['query'];
			parse_str($query, $fragments);
			$fragments = array_merge($fragments, $params);
			return $path_pcs[0].'?'.http_build_query($fragments);
		}else{
			return $path.'?'.http_build_query($params);
		}
	}

Hi Gugo,

This looks like it is mostly a false report to me. This is the code that creates the Action URL for the form. If it is a concern to you then you can set your own Action URL in the HTML (Render form) action or just set Relative URL to No in the same place.

Bob