Trying to get rid of Cross-Site Scripting (XXS) vulnerablity in code

Question

I have not messed with HTML or PHP much until recently for this class. My task is to use a vulnerability tool to diagnosis the problems then try to fix them. I found that the highest alert is a Cross-Site Scripting (XXS) alert. I have read on this vulnerability but find it rather confusing in telling me what I actually need to do. The code is as follows:

UNIX_LINES

The next program the one above refers to is as follows:

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>Form Login</title>
</head>

<body OnLoad="document.main.username.focus();">



<table >
    <tr>
        <td colspan="2">    
<h4>Enter your Username and Email Address to continue</h4> 
</td>
</tr>
<!-- create the main form with an input text box named uid and a password text box named mypassword -->
<form name="main" method="post" action="authcheck.php"> 
<tr> 
<td>username:</td> 
<td><input name="username" type="text" size="50"></td> 
</tr> 
<tr> 
<td>Email Address:</td> 
<td><input name="emailadd" type="text" size="50"></td> 
</tr> 
<tr> 
<td colspan="2" align="center"><input name="btnsubmit" type="submit" value="Submit"></td> 
</tr>
</table>
</form>


</body>
</html> 

This program is generated when I press the submit button.

I am really just trying to find out what I should be trying to do to fix this error. Thanks

Answer 1

The issue is that you are not sanitizing the username or password in anyway before writing it to that table.

Answer 2

Because you are printing out the variables here:

has_many :negocios_setores
has_many :setores, through: :negocios_setores

accepts_nested_attributes_for :negocios_setores

In order to do that, you need to remove HTML tags, and replace them with entites. To do that you need to, at the very least:

echo "<tr>
      <td>" . $_SESSION['appusername'] . "</td>";
echo  "<td>" . $_SESSION['appemail']. "</td>";
echo   "</tr>";  

You should, however do even more than that, using filter_var. http://www.w3schools.com/php/filter_validate_email.asp :

$username = htmlentites($_POST["username"]);
$email = htmlentities($_POST["emailadd"]);

Answer 3

Sanitize your o2.toString() and $username variables using

$email

or

$username = htmlspecialchars($_POST['username']);
$email = htmlspecialchars($_POST['emailadd']);  

$username = htmlentities($_POST['username']); $email = htmlentities($_POST['emailadd']); replaces all characters with a HTML variant while htmlentities(); replaces a few amount of characters.

Note that this is the most basic form of sanitizing your POST data. You can check out this filter function for more "complex" sanitizing and validation.