Go to main content

Navigation menu

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » How do I…?
  3. » Cross-scripting issue with error pages?

Pages: 1

#1 2013-12-18 02:36:21

mericson
Member
Registered: 2004-05-24
Posts: 137
Website

Cross-scripting issue with error pages?

I just received a PCI report that suggests there is a cross-scripting vulnerability for the TextPattern default_error page handling. This may well be a false-positive, but it seems like it is at least worth a fix.

Any suggestions on how I can redirect the URL to a ‘scrubbed’ version entity-encoding the sensitive characters (angle brackets, parens, etc.) ?

Offline

#2 2013-12-18 07:16:30

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Cross-scripting issue with error pages?

Please forward the report to us.

I take that the issue would be somewhere in your template code, how they are used or in plugins. You should fix the origin of the hole, rather than trying to monkey patch it by pre-filtering requests.

Last edited by Gocom (2013-12-18 07:18:07)

Rah | GitHub

Offline

Pages: 1

  1. Index
  2. » How do I…?
  3. » Cross-scripting issue with error pages?

Board footer

Powered by FluxBB