• Welcome to KonaKart Community Forum. Please login or sign up.
 

JS Injection XSS vulnerability of KKWebServiceEng

Started by Coeus, June 13, 2017, 09:29:22 am

Previous topic - Next topic

Coeus

Hi,

Good day.

Just wanted to ask if there are any KK features that would enable to filter inputs to prevent JS injection in KKWebServiceEng's services e.g. editCustomerAddress ? Aside from the front end validation/filtering... is there anyway we can prevent this from the KK backend?

Thanks in advance for the answers.


julie

In the next version (which will be out soon) we've added configurable HTML escaping for the transactional API calls such as editCustomerAddress() or registerCustomer(). However, to ensure a high level of security, what we recommend is for you to only make available the non transactional API calls over the internet and provide an extra layer of your own for the transactional calls so that you can carry out your own HTML escaping and also it's typically better for performance because after for example a registration, you may want to send an email, log in the customer and set some customer tags which you can do directly from the server instead of multiple round trips from the client.

Coeus

Thank you very much for the prompt response @julie, that's very helpful.

It's also good to hear that the next version will be having this HTML escaping feature and will be out soon.

Cheers.