Soft Rejected: (XSS) "Application is insecure"

bgokcol · July 20, 2020, 8:24am

Hi. My script rejected with reason below:

Application is insecure.

And the reviewer sent me photo of XSS vulnerability. There is no XSS vulnerability on user-side, it is only in admin-side.

There are “Extra Header/Footer”, “Ad Code” fields and “Blog Post Content” (wysiwyg editor) field in my admin panel.
For example, admin user enters Adsense code to “Ad Code” field. Adsense gives us javascript code. That’s why I don’t check XSS in these fields.

What should I do?

mgscoder · July 20, 2020, 9:03am

you should to take care XSS vulnerability for both front end and back end. your full script should be secure from XSS attack.

bgokcol · July 20, 2020, 9:41am

@mgscoder Thank you for answer. But as I said, it is necessary to add javascript code when adding Adsense/Analytics.

(As far as I know) It’s not possible to detect whether a javascript code is harmful.

mgscoder · July 20, 2020, 10:18am

if add then you have to make sure the js code is secure. what your script doing when adding js code it is saving into DB or doing something in front end witht he code, right? so, you have to take care XSS vulnerability. otherwise the victim’s browser can executes the malicious script.

WebWizardsDev · July 20, 2020, 10:26am

I think it’s most likely the reviewer is correct and you have a design error.

Share some relevant code and what the reviewer highlighted and I’m happy to take a look, and think of some possible solutions.

bgokcol · July 20, 2020, 10:41am

@WebWizardsDev Hey, thanks for answer.

As you can see, javascript is required for some ad networks. So I don’t check XSS in this input field. If I check, required script code will be deleted.

WebWizardsDev · July 20, 2020, 12:15pm

I don’t fully understand the context and the vulnerability. But generally, my suggestion is just take the path of least resistance. Instead of arguing with the reviewer, I suggest:

use esc_html, sanitize_textarea_field, sanitize_text_field etc. to satisfy the Envato Reviewer’s requirements.
Deconstruct the javascript, for example replace " < script > " with * scripttagstart * and * scripttagend *
Then in the frontend, you can replace * scripttagstart * with < script > again.

promotionking · July 20, 2020, 12:26pm

Please have your script as sanitized in the way as mentioned from reviewer’s side. Once it’s been sanitized submit again and it will definitely be approved. Simply just don’t loose hope. All you need to do is rectify and update the code if again after the second attempt it’s not approved …,. update again

baileyherbert · July 20, 2020, 1:23pm

Code for an ad banner is not XSS. You don’t need to sanitize that.

You said the reviewer sent you a photo of an XSS vulnerability. Can you share that photo with us?