Prevent XSS attack in Paypal html form - forms

I have some problem with XSS scan on sitelock. They said that some of URL from html input form is vulnerable. They said each parameters which I sent through the form was vulnerable. In this case the vulnerability is from Paypal input form. I build my website with Paypal redirect so the user will input their own data into the form and the system will send it to paypal. This is the example of my form code:
<div class="col-md-5">
<input type="text" class="form-control" name="L_PAYMENTREQUEST_FIRSTNAME" id="L_PAYMENTREQUEST_FIRSTNAME" value="<?=$_SESSION['post_value']['shipping_first_name']?>" readonly="readonly">
</div>
<input type="hidden" name="billing_first_name" value="<?=$_POST['billing_first_name']?>">
<input type="hidden" name="billing_last_name" value="<?=$_POST['billing_last_name']?>">
<input type="hidden" name="billing_email" value="<?=$_POST['billing_email']?>">
<input type="hidden" name="billing_phone" value="<?=$_POST['billing_phone']?>">
<input type="hidden" name="billing_address" value="<?=$_POST['billing_address']?>">
<input type="hidden" name="billing_city" value="<?=$_POST['billing_city']?>">
<input type="hidden" name="billing_postcode" value="<?=$_POST['billing_postcode']?>">
<input type="hidden" name="billing_state" value="<?=$_POST['billing_state']?>">
That is some part of my form. What I want to know is whats wrong with that form and how to prevent Sitelock to scan XSS vulnerability ? Please anyone knows could help me.

I would also recommend using the HTTP header.
X-XSS-Protection: 1; mode=block
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

you probably dont check/nullify the data you are getting in the input fields
and by typing <script>alert('hacked')</script> in billing_address field
on next page where you print the billing_address you will get a popup window calling hacked
On the page that process your form you should validate that input fields doesn't have any javascript code.
for example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
you need to create a function like test_input and run for all your input fields

Related

Status Detail: 5068 when using sagePay

I am trying to use SagePay. I have an account and I would like to use Server Integration.
The error I get is Status Detail: 5068 : The encryption method is not supported by this protocol version.
I'm trying to create a simple 'pay now' button, as described in the documents. The code samples provided by sage don't appear to work.
Can someone please let me know why the code below doesnt work? thanks
<?php
require_once ('lib/SagePay.php');
$sagePay = new SagePay();
$sagePay->setCurrency('BG');
$sagePay->setAmount('100');
$sagePay->setDescription('Lorem ipsum');
$sagePay->setBillingSurname('Mustermann');
$sagePay->setBillingFirstnames('Max');
$sagePay->setBillingCity('Cologne');
$sagePay->setBillingPostCode('50650');
$sagePay->setBillingAddress1('Bahnhofstr. 1');
$sagePay->setBillingCountry('de');
$sagePay->setDeliverySameAsBilling();
/* Example of using BasketXML */
$xml = new DOMDocument();
$basketNode = $xml->createElement("basket");
$itemNode = $xml->createElement("item");
$descriptionNode = $xml->createElement( 'description' );
$descriptionNode->nodeValue = 'First Item Description';
$itemNode -> appendChild($descriptionNode);
$quantityNode = $xml->createElement('quantity');
$quantityNode->nodeValue = '1';
$itemNode -> appendChild($quantityNode);
$unitNetAmountNode = $xml->createElement('unitNetAmount');
$unitNetAmountNode->nodeValue = '90.00';
$itemNode -> appendChild($unitNetAmountNode);
$unitTaxAmountNode = $xml->createElement('unitTaxAmount');
$unitTaxAmountNode->nodeValue = '10.00';
$itemNode -> appendChild($unitTaxAmountNode);
$unitGrossAmountNode = $xml->createElement('unitGrossAmount');
$unitGrossAmountNode->nodeValue = '100.00';
$itemNode -> appendChild($unitGrossAmountNode);
$totalGrossAmountNode = $xml->createElement('totalGrossAmount');
$totalGrossAmountNode->nodeValue = '100.00';
$itemNode -> appendChild($totalGrossAmountNode);
$basketNode->appendChild( $itemNode );
$xml->appendChild( $basketNode );
$sagePay->setBasketXML($xml->saveHTML());
$sagePay->setSuccessURL('https://website.co.uk/page.html');
$sagePay->setFailureURL('https://website.co.uk/page.html');
?>
<form method="POST" id="SagePayForm" action="https://test.sagepay.com/gateway/service/vspform-register.vsp">
<input type="hidden" name="VPSProtocol" value= "3.00">
<input type="hidden" name="TxType" value= "PAYMENT">
<input type="hidden" name="Vendor" value= "vendorname here">
<input type="hidden" name="Crypt" value= "<?php echo $sagePay->getCrypt(); ?>">
<input type="submit" value="continue to SagePay">
</form>
Couple of things to check:
Ensure you are using AES encryption on the Crypt field
When sending the crypt over to Sage Pay, make sure it is prefixed '#'
Make sure you are not Base64 encoding the string after you have AES encrypted it (the protocol documents are a little misleading in this regard)
[update]: 4. You are actually using the Form integration method...
Thanks for the help on this.
It was a problem with the encryption method. The code that eventually worked for me was this one:
https://github.com/tolzhabayev/sagepayForm-php/blob/master/lib/SagePay.php
And my form button is like this:
<form method="POST" id="SagePayForm" action="https://test.sagepay.com/gateway/service/vspform-register.vsp">
<input type="hidden" name="VPSProtocol" value= "3.00">
<input type="hidden" name="TxType" value= "PAYMENT">
<input type="hidden" name="Vendor" value= "vendornamehere">
<input type="hidden" name="Crypt" value= "<?php echo $sagePay->getCrypt(); ?>">
<input type="submit" value="continue to SagePay">
</form>

Validate input field for correct emailid?

I want a help in my Contact form. I want that when a user inputs his email id in input field & if it is wrong i.e without # the input box should shake (which depicts an error) & when user enters correct email Id, it should accept it.
The problem in my current code is, when user enters correct email Id, even then the input field shakes. Need to validate the input field for correct Email.
Any help would be appreciated.
Thanks in advance.
<form id="form_id" method="post" action="<?php $_SERVER['PHP_SELF'] ?>" onsubmit="javascript:return validate('form_id','email');" novalidate>
<input type="text" id="email" name="email" value="<?php if (isset($_POST["email"])) {echo $ema;} ?>" class="error"/>
<br><br>
<button type="submit" name="submit" class="getaccess-btn">Get Access </button>
</form>
The js for the same is:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script language="javascript">
function validate(form_id,email) {
var reg = /^([A-Za-z0-9_\-\.])+\#([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/;
var address = document.forms[form_id].elements[email].value;
if(reg.test(address) == false) {
$(document).ready(function(){
$("button").click(function(){
$("#email").delay(0).animate({"left": "-=30px"}, 80).animate({"left": "+=60px"}, 80).animate({"left": "-=60px"}, 80).animate({"left": "+=60px"}, 80).animate({"left": "-=30px"}, 80);
});
});
return false;
}}
</script>
this php code
<?php
$your_email = "youremailid#gmail.com"; // email address to which the form data will be sent
$subject = "Contact Message"; // subject of the email that is sent
$thanks_page = "thank-you.html"; // path to the thank you page following successful form submission
// Nothing needs to be modified below this line
if (isset($_POST["submit"])) {
$ema = trim($_POST["email"]);
if (get_magic_quotes_gpc()) {
$ema = stripslashes($ema);
}
$error_msg=array();
if (empty($ema) || !filter_var($ema, FILTER_VALIDATE_EMAIL)) {
$error_msg[] = "Your email must have a valid format, such as name#mailhost.com";
}
$email_body =
"Email of sender: $ema\n\n" .
"$com" ;
// Assuming there's no error, send the email and redirect to Thank You page
if (!$error_msg) {
mail ($your_email, $subject, $email_body, "From: $nam <$ema>" . "\r\n" . "Reply-To:");
header ("Location: $thanks_page");
exit();
}
}
?>
The css for the same is:
.error{height:auto;width:100px;position:absolute;}
I can't understand your issue properly, but if you are working with email validation then there is no need of javascript. You can simply use email as input type in HTML5:
for ex, you can write as following:
<form>
<input type="email" name="email" required>
<input type="submit">
</form>
this will automatically validate input field for # and ..
fiddle is here

'Simple' PHP script shows error in line 10, what have I done wrong? [closed]

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
My freshly updated website has a contact form with php mail script which I based on the form script here.
The script is saved on my webserver, but when data is submitted, no mails are sent as there is a fault in line 10.
I honestly don't understand enough to pinpoint my error - can someone help a newbie out?
I found a temporary replacement by using Bravenet, but I'd like to use my unbranded version, if simple php scripts are as simple as they seem…
My script (kontakt.php) looks like this:
<?php
/* Set e-mail recipient */
$myemail = "edw#rdturner.co.uk";
/* Check all form inputs using check_input function */
$name = check_input($_POST['name'], "Ihr Name");
$email = check_input($_POST['email'], "Ihre E-Mail-Adresse");
$kontaktnummer = check_input($_POST['kontaktnummer']);
$thema = check_input($_POST['them']);
$message = check_input($_POST['message']), "Worum geht's?");
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\#[\w\-]+\.[\w\-]+)/", $email))
{
show_error("E-mail-Adresse ungültig");
}
/* Let's prepare the message for the e-mail */
$message = "Hallo!
Ihr Form ist unterwegs…:
Name: $name
E-Mail-Adresse: $email
Kontaktnummer: $kontaktnummer
Frage zum Thema? $thema
Nachricht: $message
Comments:
$comments
End of message
";
/* Send the message using mail() function */
mail($myemail, $subject, $message);
/* Redirect visitor to the thank you page */
header('Location: danke.htm');
exit();
/* Functions we used */
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
if ($problem && strlen($data) == 0)
{
show_error($problem);
}
return $data;
}
function show_error($myError)
{
?>
<html>
<body>
<b>Hier stimmt was nicht - bitte prüfen!</b><br />
<?php echo $myError; ?>
</body>
</html>
<?php
exit();
}
?>
and my submission form like this:
<form method="post" enctype="multipart/form-data" action="http://pub14.bravenet.com/emailfwd/senddata.php" accept-charset="utf-8">
<input type="hidden" name="usernum" value="1126560145">
<input type="hidden" name="cpv" value="2">
<ol><li>
<label for="name">Name (Erförderlich)</label>
<input id="name" name="name" class="text" />
</li><li>
<label for="email">E-Mail-Adresse (Erförderlich)</label>
<input id="email" name="email" class="text" />
</li><li>
<label for="kontaktnummer">Kontaktnummer (Erförderlich)</label>
<input id="kontaktnummer" name="kontaktnummer" class="text" />
</li><li>
<label for="thema">Fragen zum Thema (Erförderlich)</label></br>
<input type="checkbox" name="thema" value="unterricht" /> Unterricht</br>
<input type="checkbox" name="thema" value="übersetzungen" /> Übersetzungen</br>
<input type="checkbox" name="thema" value="dolmetschen" /> Dolmetschen</br>
<input type="checkbox" name="thema" value="faß" /> Englsich vom Faß</br>
<input type="checkbox" name="thema" value="anders" /> Andere
</li><li>
<label for="message">Worum geht's? (Erförderlich)</label>
<textarea id="message" name="message" rows="8" cols="50"></textarea>
</li><li>
<input type="image" name="imageField" id="imageField" src="images/submit.gif" class="send" />
<div class="clr"></div>
</li></ol>
</form>
Naturally I'll need to tweak the html to reflect the newly working script… but how?
Thanks in advance
Edd Turner
$message = check_input($_POST['message']), "Worum geht's?");
to
$message = check_input($_POST['message'], "Worum geht's?");
There is a ) in the wrong place.
$message = check_input($_POST['message']), "Worum geht's?");
Excessive ), try $message = check_input($_POST['message'], "Worum geht's?");'
Check out the extra ')'. The error is in this line.
Change
$message = check_input($_POST['message']), "Worum geht's?");
to
$message = check_input($_POST['message'], "Worum geht's?");

Receiving data from a form and modificating it using preg_replace

I have the following HTML code:
<form method="post" action="">
<b>Name: <input type="text" name="username" size="20" />
<input type="submit" value="Login" name="login" />
</form>
and:
<?php
if(isset($_POST['login'])){
$check = $_POST['username'];
?>
Whenever a user submits his username, the user should receive his username back but with the following modifications:
1) *Sapce bars will be replaced with "_"
2) *All letters will become non-capital letters.
Example:
Username: "I Like Icecream"
Result:
i_like_icecream
The message should be displayed to the user as an variable through an echo.
echo "$result";
I was thinking about doing it with preg_repalce, but didn't really manage to since I am not familiar with it very well. Any help will be appriciated.
preg_replace() is way too powerful but way expensive for this task. The patterns you need to change are constant, so you're better of using str_replace() and mb_strtolower()
$encoding = 'UTF-8'; // optional
$name = $_POST['usernamename']
$name = str_replace(' ', '_', $name);
$name = mb_strtolower($name, $encoding); // or $name = mb_strtolower($name); if you don't specify encoding

zend_form -- how to get form values except for disables elements

i want to use zend_form to validate and filter the POST data,and some form fields are disabled element,
but when i use $form->isValid($post) filtering the data and use $form->getValues() to get the filtered data, it returns all the elements value (including the disabled elements value which i don't want).
such as :
<form method="post" action="">
<input type="text" disabled="disabled" name="account_id" value="123456">
<input type="text" name="name" value="">
<input type="text" name="email" value="">
<input type="text" disabled="disabled" name="created_date" value="2011-06-12">
<input type="text" disabled="disabled" name="created_by" value="admin">
<input type="submit">
</form>
so is there any way to get rid of the disables elements value ?
(because there are many fields and disabled elements ,so i don't want to trim them manually)
thanks!
This is some sort of a hack. We get all elements and iterate through it. When we see an element is disabled we can skip.
$somearray = array();
$elements = $form->getElements();
foreach ($elements as $key => $element) {
//echo $key;
if( $element->disabled ) {
continue;
}
$somearray[$key] = $element->getValue();
}
Hope this helps, or you can hack on it ;) .
It looks like this is not a bug, but an accepted workflow for validating forms. see this: http://framework.zend.com/issues/browse/ZF-6909
it looks like the accepted solution/trick is to use
$form->isValidPartial($this->getRequest()->getPost())
instead of
$form->isValid($this->getRequest()->getPost())
isValidPartial only tests the form fields that are present in the post. disabled elements should not end up posted.