To sanitize input against XSS, use https://github.com/cure53/DOMPurify <https://github.com/cure53/DOMPurify> on the client side, something like this:
function submitForm() { var elements = document.form.elements; for (var i = 0; i < elements.length; i++) { elements[i].value = DOMPurify.sanitize(elements[i].value); } return true; } The other thing is to always use ‘html encode(value; *)’ when you are rendering database values. This converts any html special characters to html entities. All the best, - Aparajita > On Feb 22, 2018, at 3:15 AM, Norbert Pfaff <npf...@mac.com> wrote: > > Hi, > > I have a field username in a form. > > I save this field with something like > > [users]usrName:=_form{“name"} > Save record[users] > > Now my customer (a town) has had a penetration-test and the folks which have > done it say, there ist a problem when somebody writes in his username > something like this: > > xxx”><script>alert(‘xss in user’);</script> > > Next time I open the user record, there ist then a Dialog with “xss in user”. > > What is a easy way to check for characters not allowed? > > Grüße/regards > Norbert > > > Norbert Pfaff > Hammelstalstr. 52 > 67098 Bad Dürkheim > > Fon: 06322 9108028 > Skype: npfaff > eMail: npf...@mac.com > > > > _______________________________________________ > Active4D-dev mailing list > Active4D-dev@aparajitaworld.com > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ _______________________________________________ Active4D-dev mailing list Active4D-dev@aparajitaworld.com http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/