Results 1 to 2 of 2
  1. 2 Dec 2015, 07:23 PM #1
    cstdenis
    cstdenis is offline New Zenner
    Join Date
    Jul 2006
    Posts
    17
    Plugin Contributions
    0

    Default Question for checkout_confirmation/header_php.php XSS comment field fix

    The diff for this is
    Code:
    -$_SESSION['comments'] = $_POST['comments'];
+$_SESSION['comments'] = zen_output_string_protected($_POST['comments']);
    which works fine for 1.5.4, but 1.3.9, the existing code is
    Code:
    $_SESSION['comments'] = zen_db_prepare_input($_POST['comments']);
    Should the zen_db_prepare_input be replaced by zen_output_string_protected, or should they be merged in some way such as zen_db_prepare_input(zen_output_string_protected($_POST['comments'])) or zen_output_string_protected(zen_db_prepare_input($_POST['comments']))?

    I don't want to accidentally introduce an sql injection vulnerability here.
    Reply With Quote Reply With Quote
  2. 2 Dec 2015, 07:31 PM #2
    DrByte's Avatar
    DrByte
    DrByte is offline Sensei
    Join Date
    Jan 2004
    Posts
    66,444
    Plugin Contributions
    279

    Default Re: XSS comment field fix

    Just use:
    $_SESSION['comments'] = zen_output_string_protected($_POST['comments']);

    ... and BE SURE to plan for an upgrade in the next couple months. Seriously.



    (Edit: I see in another forum thread you've said you're working on your upgrade. Kudos.)
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
    Reply With Quote Reply With Quote
 

 
« Previous Thread | Next Thread »

Similar Threads

  1. v150 I need header_php.php for products_description2
    By shawnhbk in forum All Other Contributions/Addons
    Replies: 8
    Last Post: 15 Apr 2012, 10:04 PM
  2. How to override header_php.php or how to add a new field to order confirmation email
    By monkeytown in forum Templates, Stylesheets, Page Layout
    Replies: 5
    Last Post: 25 Jan 2008, 06:01 PM
  3. xss fix vs google checkout - how do I do this?
    By fats1964 in forum General Questions
    Replies: 0
    Last Post: 5 Jul 2007, 05:04 PM
  4. [FIX] v1.3.5 XSS Exploits Found
    By catv in forum Bug Reports
    Replies: 19
    Last Post: 29 Oct 2006, 05:51 PM
  5. Zero-Day XSS Security Fix
    By athena in forum General Questions
    Replies: 2
    Last Post: 12 Oct 2006, 08:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

disjunctive-egg
Content and Graphics Copyright (c) 2003 - 2026 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC