Home Topics Blogs Mitigating XSS Vulnerabilities when using Forms

Mitigating XSS Vulnerabilities when using Forms

Table of contents

We are committed to maintaining the highest standards of security for our platform. Recently, we identified and fixed a vulnerability that allowed HTML strings to be submitted through our form submissions, posing a risk of persisted cross-site scripting (XSS) attacks.

The Issue

Previously, our forms accepted and processed preformatted HTML, which could potentially be exploited for XSS attacks.

The Fix

To eliminate this risk, we now escape HTML content in form submissions. This means any HTML submitted will be sanitized, preventing it from being rendered in emails or on the dashboard.

New Best Practice: Using JSON for Data Submission

To adapt to this change, we recommend using JSON strings for data submission. Although the JSON data will be escaped, you can easily convert it back to its original form using server-side processing.

Example Implementation

  1. Submit JSON String: When submitting form data, send it as a JSON string. For example:

    {"id": "321609198"}

  2. Handle Escaped Quotes: After submission, the JSON string will appear with escaped quotes, like this:

    {"id":"321609198"}

  3. Render with Liquid Templating: On the server side, use Liquid to replace the escaped quotes and parse the JSON. Here’s a sample Liquid template code to achieve this:

    {% if submitted_form_fields['mail_data'] %}
 {% assign data = submitted_form_fields['mail_data'] | replace: """, '"' | from_json %}
{% endif %}
<table>
 <tr><td><strong>ID</strong></td><td>{{ data.id }}</td></tr>
</table>

This method ensures that your data is safely parsed and displayed without risking XSS vulnerabilities.

Shared Responsibility Warning

It's crucial to note that this method should only be implemented if you are confident it will not introduce new XSS vulnerabilities. Developers must ensure that the JSON data being processed cannot be exploited for XSS attacks. This includes never allowing any html to be sent from the form directly or indirectly.

Conclusion

This change significantly enhances the security of our platform. We appreciate your cooperation and commitment to maintaining a secure environment for all users.

For any assistance or further clarification, please contact our support team.

Need help?

Do you have any question which is not answered in this knowledge base? Contact us. We are here to help you.

© 2024 Plate Developer Docs - All right Reserved. Published with Plate Multisite CMS.