[WSTG-INPV-01] Cross Site Scripting (XSS)

Feedback form has event attribute onsumbit that call function to validated it, by JavaScript, so that the value of Name and Message isn't empty.

function validate_required(field,alerttxt)
{
with (field) {
  if (value==null||value=="") {
    alert(alerttxt);return false;
  }
  else {
    return true;
  }
}
}

function validate_form(thisform) {
with (thisform) {
  if (validate_required(txtName,"Name can not be empty.")==false) {
    txtName.focus();return false;
  }
  if (validate_required(mtxMessage,"Message can not be empty.")==false) {
    mtxMessage.focus();return false;
  }
}
}

Reference Errors

1. onClick attribute reference undefined function checkForm().

2. Following code line reference non-existent variable (typo mtxMessage that should be mtxtMessage as defined in HTML form), it is why the message can be empty.

validate_required(mtxMessage,"Message can not be empty.")

However, it do not check if the user input contains HTML tags or JS script.

<script>alert("ok")</script>

The limitation can be bypassed by removing maxlength attribute on txtName and mtxtMessage input fields.

Remediation

Validate user input to prevent save malformed data.