We have a community portal developed in Skuid, and we have identified a security risk around reflected cross site scripting. We are passing the Account ID between skuid pages, and it is possible for a user to substitute the ID for a piece of javascript.
Unfortunately from a community (unlike internal pages), the javascript does not get blocked when it is sent to the server, and the server response includes the javascript and is executed in the client. The example we have used is a simple javascript alert.
Does anyone know how to prevent users injecting a piece of javascript manually into the url?
Question
cross site script

Translate
This topic has been closed for comments
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.