Magento Cross Site Scripting XSS

Please LogIn to Reply!

Post By: admin | 26-01-2012 06:35 Reply

 

I know this has been discussed in the past concerning the email address allowing XSS.  McAfee has determined that Region_ID is allowing XSS as well.  Does anyone know how to fix this?  The information from McAfee is supplied below.

success_url=0
error_url=0
firstname=0
lastname=0
email=0
is_subscribed=1
create_address=1
company=0
telephone=0
street[]=
street[]=
city=0
region_id=>"></title></iframe></script></form></td></tr><br><iFraMe src
region=0
postcode=0
country_id=US
default_billing=1
default_shipping=1
password=0
confirmation=0

<li>
<div class="input-box">
<label for="city">City <span class="required">*</span></label><br/>
<input type="text" name="city" value="0" title="City" class="required-entry input-text” id="city"/>
</div>
<div class="input-box">
<label for="region_id">State/Province <span class="required">*</span></label><br/>
<select id="region_id" name="region_id" title="State/Province" class="validate-select" style="display:none">
<option value="">Please select region, state or province</option>
</select>
<script type="text/javascript">
$(’region_id’).setAttribute(’defaultValue’, “>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.McAfeesecure.com width=900 height=1100></IfRamE>");
</script>
<input type="text" id="region" name="region" value=">"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.McAfeesecure.com width=900 height=1100></IfRamE>” title="State/Province" class="input-text" style="display:none"/>
</div>
</li>
<li>

`Reply Or Comment!
Please LogIn to Reply!