I did a test with looking at the query_string from an very old app.Have a field clean_name with the default value:
@Middle(Query_String_Decoded;“&name=”;“&”);
This is then displayed on the webpage via a computed field.
It is by that very easy to validate XSS attacks by sending &name=>'>
That will then execute the script. So, the simplest thing would be to eliminate ’ " < > as possible values. This then by a @replacesubstring.
I am curious… I tested to replace < > with blanks and I can not trigger the script now in any way… sending hex, encoded or other formats.
My question/query is… Can I override this very simple filtering if I were a “bad person”?
I just wonder if I can inject any XSS into the field that is then passed on to the computed field unless < > cannot be included? Can it?
It seems to be that the server sees %3c, &x000003c or any other combo of < sent in the url as one and same “<” and executes the replace.
Am I lost here or can I see this as “more protected from XSS then before”?