so i added html entities to eaach of my text boxes. idk if i need it on my checkbox but dont know how so if i do, tell me please.
my issue though is, all of them XSS vulnerbility warnings went away when i did that except for the page theyre actually on "contact.php"
sorry im tired. thanks so much all.
PHP Code:
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /contact.php.
Discovered by: Scripting (XSS_in_URI.script).
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Attack details
URI was set to "onmouseover=prompt(989931)>
The input is reflected inside a tag element between double quotes.
View HTTP headers
Request
GET /contact.php/%22onmouseover=prompt(989931)%3E HTTP/1.1
Cookie: PHPSESSID=26d2d9143c8b4920fbb91285f512c433
Host: www.drpcrepair.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
Response
HTTP/1.1 200 OK
Date: Wed, 09 Mar 2011 04:29:50 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17
Keep-Alive: timeout=2, max=181
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 16712
View HTML response
Launch the attack with HTTP Editor Retest alert(s) Mark this alert as a false positive
How to fix this vulnerability
Your script should filter metacharacters from user input.

