We received a scan report that lists a number of items on our website that never previously popped up as an issue. What in the following code is a vulnerability to cross-site scripting?
<?php $Get_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];?>
<div class="event-social">
<ul>
<li><a href="#" onclick="window.open('https://www.facebook.com/sharer/sharer.php?u='+encodeURIComponent(location.href),
'facebook-share-dialog',
'width=626,height=436');
return false;">
<img src="/images/events-calendar/cal-facebook.gif" alt="Share on Facebook" />
</a>
</li>
<li><a href="http://twitter.com/share?&url=<?php echo $Get_url; ?>&via=niagaraparks"><img src="/images/events-calendar/cal-twitter.gif" alt="Twitter" /></a>
</li>
<li><a href="#"
onclick="window.open('http://plus.google.com/share?url=<?php echo $Get_url; ?>',
'popupwindow',
'scrollbars=yes,width=800,height=400').focus();"><img src="/images/events-calendar/cal-googleplus.gif" alt="Google+" /></a>
</li>
</ul>
</div>
And here:
<li class="social"><a href="http://blog.xxxxxxxxxx.com/?feed=rss2" target="_blank" id="rss"><img src="/images/homepage/icon-blog.png" alt="RSS" /></a></li>
And then several points in our contact form page (lastname parameter, emailc paramter, etc.:
<div class="line"><label for="firstname">First Name</label>:
<input id="firstname" maxlength="55" name="firstname" type="text" value="<?=$_REQUEST["firstname"] ?>" /></div>
<div class="line"><label for="lastname">Last Name</label>:
<input id="lastname" maxlength="55" name="lastname" type="text" value="<?=$_REQUEST["lastname"] ?>" /></div>
<div class="line"><label for="email">E-mail</label>:
<input id="email" maxlength="100" name="email" type="text" value="<?=$_REQUEST["email"] ?>"/></div>
<div class="line"><label for="emailc">Confirm E-mail</label>:
<input id="emailc" maxlength="100" name="emailc" type="text" value="<?=$_REQUEST["emailc"] ?>"/></div>
Any help would be greatly appreciated.
More Details
I've made some changes that I hope solves my problem:
<?php $Get_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$Get_url = urlencode($Get_url);
?>
<div class="event-social">
<ul>
<li><a href="#" onclick="window.open('https://www.facebook.com/sharer/sharer.php?u='+encodeURIComponent(location.href),
'facebook-share-dialog',
'width=626,height=436');
return false;">
<img src="/images/events-calendar/cal-facebook.gif" alt="Share on Facebook" />
</a>
</li>
<li><a href="http://twitter.com/share?&url=<?php echo $Get_url; ?>&via=niagaraparks"><img src="/images/events-calendar/cal-twitter.gif" alt="Twitter" /></a>
</li>
<li><a href="#"
onclick="window.open('http://plus.google.com/share?url=<?php echo $Get_url; ?>',
'popupwindow',
'scrollbars=yes,width=800,height=400').focus();"><img src="/images/events-calendar/cal-googleplus.gif" alt="Google+" /></a>
</li>
</ul>
And for the contact form, I had already used strip_tags when echoing the input variables into an email, does that not avoid the problem? Or do I need to escape the variable at the input as well? For now, I've changed my strip_tags or htmlspecialchars:
$emailContents .= "<tr style='padding:10px;'><td style='padding:3px 10px;'><strong>E-mail:</strong> </td><td style='padding:3px 10px;'>" . htmlspecialchars($_POST['email']) . "</td></tr>";
But the scanner seems to be concerned with the input code:
<input id="email" maxlength="100" name="email" type="text" value="<?=$_REQUEST["email"] ?>"/></div>
I'm not sure how I would modify those lines to escape/sanitize that input.