Common Vulnerabilities
Cross-Site-Scripting / XSS
Cross-Site-Scripting issues are by far the most common issues in the Joomla extension ecosystem.
A brief example: imagine a Joomla comment extension that allows users to comment an article with a subject and a text. Now imagine the following output template for a comment:
<div class="comment">
<h3><?php echo $comment->subject; ?></h3>
<?php echo $comment->text; ?>
</div>
Looks straightforward, huh? But now imagine that a user does not use "I love your site" as a comment subject, but <script>executeEvilJs()</script>
.
With the output template given above, the JS provided by the user will be outputted as an executable HTML tag and the evil code will be executed in the browser of each and every user visiting the site where that comment is shown - that's a Cross-Site-Scripting vulnerability.
Prevention
Filter/validate the user input
In the example above, the provided subject should be filtered and/or validated to only allow required characters - and it should disallow characters that are needed to create HTML tags, i.e. the <
and >
characters.
If the user input can contain HTML markup, the markup itself has to be filtered to make sure it only contains safe markup. See the chapter about input handling for more information.