We have changed our pricing. Flexmonster Software License Agreement was also updated (list of changes)

Cross-site scripting error

Answered
Chris asked on December 7, 2022

Hello,

After running security scans on our software we have found potential security issues relating to cross-site scripting allowing unvalidated data to be sent to a web browser, found while scanning the minified Flexmonster code. Are there any mitigations that have been done to ensure that there are no opportunities for unvalidated code to be sent to the web browser through flexmonster?

Thanks

5 answers

Public
Solomiia Andrusiv Solomiia Andrusiv Flexmonster December 8, 2022

Hello, Chris!
 
Thank you for your question.
 
Kindly note that security is our top priority, and our developers always stick to best practices and guidelines to ensure the maximum security of the component. 
We are validating all input and output data in our code, so there shouldn't be any issues with cross-site scripting.
Nevertheless, if you have found some specific case, please let us know.
 
Hope you will find our answer helpful.
 
Regards,
Solomiia

Public
Chris December 10, 2022

Hi Solomiia,

Thank you for your reply. 
It seems that our scanner is flagging two functions in particular, 
createContextualFragment() and document.createElement(). Would you be able to provide an explanation of how the data going into these methods are scrubbed/verified, or if there are any other reasons that the data being supplied or returned from those would not be of concern?

Thanks so much,
Chris

Public
Solomiia Andrusiv Solomiia Andrusiv Flexmonster December 12, 2022

Hello, Chris!
 
Thank you for your response.
 
Kindly note that document.createElement() function is not executed for any user input data in Flexmonster. 
We are also validating all data from the inputs for the unwanted scripts. You can ensure it by sending a <script> tag in any input and seeing that the <script> tag is converted to the string instead of running.
 
As for the createContextualFragment() function, it is used in the d3.js charting library. Still, it is not connected with any user inputs directly, and we are validating all data before passing it to the 3rd party libraries.
 
Hope you will find our answer helpful.
Feel free to ask if any further questions arise.
 
Regards,
Solomiia
 

Public
Chris December 12, 2022

Thanks so much Solomiia- that was very helpful and I appreciate how quickly you were able to provide answers to my questions! 

Public
Solomiia Andrusiv Solomiia Andrusiv Flexmonster December 13, 2022

Hello, Chris!

Thank you for your quick feedback.

We are glad to hear our answers were helpful.

You are welcome to contact us in case of any other questions.

Best regards,
Solomiia

Please login or Register to Submit Answer