XSS vulnerability

  • drewm

    Approved the thread.
  • PHP
    1. <ul class="nav-2" role="navigation">
    2. <li><a <?php echo ($cat == 'transporte') ? "class='current'" : ""; ?>href="/proyectos.php?cat=transporte"><?php perch_content('nav-transporte-'.$lang); ?></a></li>
    3. <li><a <?php echo ($cat == 'comercial') ? "class='current'" : ""; ?>href="/proyectos.php?cat=comercial"><?php perch_content('nav-comercial-'.$lang); ?></a></li>
    4. <li><a <?php echo ($cat == 'oficinas') ? "class='current'" : ""; ?>href="/proyectos.php?cat=oficinas"><?php perch_content('nav-oficinas-'.$lang); ?></a></li>
    5. <li><a <?php echo ($cat == 'dotacional') ? "class='current'" : ""; ?>href="/proyectos.php?cat=dotacional"><?php perch_content('nav-dotacional-'.$lang); ?></a></li>
    6. <li><a <?php echo ($cat == 'residencial') ? "class='current'" : ""; ?>href="/proyectos.php?cat=residencial"><?php perch_content('nav-residencial-'.$lang); ?></a></li>
    7. <li><a <?php echo ($cat == 'diseno-interior') ? "class='current'" : ""; ?>href="/proyectos.php?cat=diseno-interior"><?php perch_content('nav-diseno-interior-'.$lang); ?></a></li>
    8. </ul>
  • <?php if (perch_get('s')) $current_slug = 's='.perch_get('s')."&"; // añade slug en caso de estar en proyecto.php ?>
    <?php if (perch_get('cat')) $current_cat = 'cat='.perch_get('cat')."&"; // añade slug en caso de estar en proyecto.php ?>

    ^^^ here. You're using cat without escaping it.

  • So your using the get parameter without filtering or encoding it and then using it as part of a concatenation for a URL that is used in the navigation so yes as it is it’s definitely an XSS vulnerability.

    Remember “filter inputs and encode output”

    Filter with filter_input() or filter_var() functions

    And you can encode with htmlspecialchars()

    This is not a perch issue though, learn these functions. And do some research into XSS and SQLi prevention and practices.