Reflected XSS All Clients

Rishi2Monk has asked for the wisdom of the Perl Monks concerning the following question:

Kindly help me to fix the Checkmarx issue in the below code. I tried to do the below sanitization before print, but it does not work out

my ($db_dt,$enq_dt, $ecn, $kob, $userid, @fids) = @ARGV;

if ($db_dt =~ /^[^0-9]$/ || $enq_dt =~ /^[^0-9]$/ || $userid =~ /^[^a-
+zA-Z0-9]$/ || $ecn =~ /^[^0-9]$/ $kob =~ /^[^A-Z0-9]$/)
{
        print("Invalid db_dt or enq_dt or userid or ecn or kob: ",__LI
+NE__, "\n");
}

print("Start of db2Json == " . get_time() . " in ${db_dt} image as of 
+${enq_dt}\n");  <== Error
[download]

Comment on Reflected XSS All Clients Download Code

Replies are listed 'Best First'.
Re: Reflected XSS All Clients by Corion (Patriarch) on Dec 27, 2022 at 09:40 UTC
You accept input from the user and do not sanitize it, and then print it out. Don't do that. Either do not print the user input at all, or check that the user input is well-formed before you print it, or escape it before printing. If you think you want to escape the user input, you need to specify what the output target is. Escaping for the console window is different from escaping for a browser.	[reply]
Re: Reflected XSS All Clients by haukex (Archbishop) on Dec 27, 2022 at 09:41 UTC
Three problems with the code you showed: 1. It doesn't compile. 2. `/^[^0-9]$/` only tests whether the string consists of a single character that is not a digit. I assume you meant `/[^0-9]/`. 3. When an input contains an invalid value, all you do is print an additional line of output, you probably meant die instead of print. In addition, to prevent XSS attacks, you should use a module to escape any strings you're inserting into the output.	[reply] [d/l] [select]
Re^2: Reflected XSS All Clients by Rishi2Monk (Novice) on Dec 27, 2022 at 10:23 UTC
Thanks for the reply. I corrected the compilation and `/[^0-9]/`. My intension is to clear the cleckmarx and since I do not know the content of the input, I go with print instead of die. But even after I do this sanitization, Checkmarx is not satified and throw the same error	[reply] [d/l]
Re^3: Reflected XSS All Clients by Corion (Patriarch) on Dec 27, 2022 at 10:27 UTC
You are still not escaping the user specified values for your output target format. Until you do that, you will not solve the problem.	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.