Mitigating XSS Vulnerabilities when using Forms
We are committed to maintaining the highest standards of security for our platform. Recently, we identified and fixed a vulnerability that allowed HTML strings to be submitted through our form submissions, posing a risk of persisted cross-site scripting (XSS) attacks.
The Issue
Previously, our forms accepted and processed preformatted HTML, which could potentially be exploited for XSS attacks.
The Fix
To eliminate this risk, we now escape HTML content in form submissions. This means any HTML submitted will be sanitized, preventing it from being rendered in emails or on the dashboard.
New Best Practice: Using JSON for Data Submission
To adapt to this change, we recommend using JSON strings for data submission. Although the JSON data will be escaped, you can easily convert it back to its original form using server-side processing.
Example Implementation
Submit JSON String: When submitting form data, send it as a JSON string. For example:
{"id": "321609198"}
Handle Escaped Quotes: After submission, the JSON string will appear with escaped quotes, like this:
{"id":"321609198"}
Render with Liquid Templating: On the server side, use Liquid to replace the escaped quotes and parse the JSON. Here’s a sample Liquid template code to achieve this:
{% if submitted_form_fields['mail_data'] %} {% assign data = submitted_form_fields['mail_data'] | replace: """, '"' | from_json %} {% endif %} <table> <tr><td><strong>ID</strong></td><td>{{ data.id }}</td></tr> </table>
This method ensures that your data is safely parsed and displayed without risking XSS vulnerabilities.
Shared Responsibility Warning
It's crucial to note that this method should only be implemented if you are confident it will not introduce new XSS vulnerabilities. Developers must ensure that the JSON data being processed cannot be exploited for XSS attacks. This includes never allowing any html to be sent from the form directly or indirectly.
Conclusion
This change significantly enhances the security of our platform. We appreciate your cooperation and commitment to maintaining a secure environment for all users.
For any assistance or further clarification, please contact our support team.