Why is my site warning "xssvuln" when I use jqueryui autocomplete?
I am implementing jqueryui autocomplete in my site, but when I load this page, it warns "xssvuln". but when i tried to run my site on localhost no problem occurs. Can you help me fix this? Also, I am running my site on ipage.
this is my js for autocomplete.
$.ajax({
type: 'post',
url: 'autocompleteCourse.php',
dataType: 'json',
success: function(data){
var availableCourse = data;
$( "#course" ).autocomplete({
source: availableCourse,
messages: {
noResults: '',
results: function() {}
}
});
}
});
and this is my php file for autocomplete.
include'../utility/sqlcon.php';
$query = mysql_query("select * from autocomplete where input = 'course'") or die (mysql_error());
while($q=mysql_fetch_array($query))
{
$courseOptions[] = $q['autoComplete'];
}
echo json_encode($courseOptions);
source to share
I would guess it has little to do with jQueryUI autocomplete, but is probably a sign that someone has hacked your site, albeit with a friendly warning.
This is probably a hint that someone managed to get something in your database, for example <script>alert('xssvuln');</script>
, as an indication that your site is vulnerable to cross-site injection scripting .
Can you take a look at the source code on your live page and see where the xssvuln notification comes from? Because I doubt it is autocomplete, or at least not directly. If this happens when you use autocomplete, I would check the search results for what you are looking for in your live system to see if they include some kind of Javascript that is hosted there by a hacker, which you then insert into your page without proper shielding.
As an example: if your site allows your users to add new content and you just accept whatever they type and then output it without any work of sanitizing it - removing script tags using functions like htmlspecialchars()
during output and etc. - then you need to understand that you are effectively allowing someone on the Internet to add code to your site.
One way a hacker can quickly test an XSS vulnerability on a site they are researching is to find an input form on the site and add script code to it to check if it went through unsanitised. So they can find the comment form and type:
<script>alert('xssvuln');</script>
... into it. If they then view the comments page on the site and instead of seeing text <script>alert('xssvuln');</script>
on the page (for example, here on Stack Overflow), they see a Javascript warning, they know your site is vulnerable.
So my advice is:
- Find out where the warning comes from. This is most likely user generated content in your database.
- Read on scripts with multiple sites.
- Protect your inputs and outputs from this type of Javascript injection.
- Clean up existing attacks from your database if necessary.
source to share
Someone found a vulnerability on your site and was generous enough to point it out.
It looks like your database has an entry line by line:
<script>alert('xssvuln');</script>
inside it, which is returned as a result of one of your requests and displayed on your page.
It's not good news to find out this is happening. Your application needs to really check that all user input is free of things like tags, etc., so there can't be such things. Likewise, whenever you display data from your database on a page, it is worth using functions that verify that the data is also clean, because you can never be sure.
To fix the problem, I first got into the view source in your live page and found where the script snippet is. Once you know this, you can figure out where in your code the script was retrieved and delete it from your database.
Please don't leave it while doing this. This hacker has highlighted an important vulnerability in your site that someone could easily exploit to do far more harmful things than create a warning message.
Basically, whenever you show text from your database to the user, be sure to wrap it in the following function:
htmlspecialchars($yourstring);
This is not 100% reliable, but will go a long way in reducing the likelihood of successful xss attacks on your site.
source to share