Warning: XSS Security Vulnerabilities

Answered

Comments

4 comments

  • Christian Holm

    Hi Andreas

    Podio is not just a web-app. We do output escaping, not sanitizing on the way in. This is in our (and many others) the right way to do it. There is no good reason why someone should be able to use & in their company name f.ex. Saving it HTML escaped in the database is not really a good idea, unless you are only a web application. Since we have many different clients, the right way to do it is to always output escape user data, when they are displayed in f.ex. HTML. 

    Christian

    0
    Comment actions Permalink
  • '>img srcx onerrorprompt(0);>

    I was testing the site for bugs ,i tested your site too, podiomail.com

    The flaw is in your site that it dosent filter the data which is taken from podio.com

    I have emailed you about this through contact form ,no reply has come to me from your side :(

    Please check it ,there are many other bugs which i have reported to you ,it will help in securing podiomail.com :)

     

    0
    Comment actions Permalink
  • Andreas Huttenrauch

    @Christian - thanks for the response. This was more aimed at being a warning to other developers. I always sanitize post inputs, but for some reason didn't expect malicious code coming from Podio.

    0
    Comment actions Permalink
  • Andreas Huttenrauch

    And just to reply to mr hacker here, PodioMail.com has been secured. Thanks for pointing this out.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk