Penetration test findings - disallow special characters in insert/update behaviors

Hi Ray, our client recently had a pen test carried out and they've sent me the report, which I'm working my way through. One thing that was picked up was the ability to insert malicious Javascript code in standard form fields (such as those for a Name) - this is what the report says:

"It was observed that most fields where user input is accepted by the web application, content filtering was in place and unwanted characters were being encoded appropriately. However, it was seen that such filtering was not properly implemented for a user’s first and last name in their profile. As a result, it was possible to insert malicious JavaScript into these fields that would execute every time the user visited their My Account page (screenshot of example attached)."

I've added a Restricted Content server validation behavior to the Name field to disallow characters such as <>{}(); but before I go through the entire site and update every standard text form field in the same way (there are a lot!), can I just check if this is actually necessary? I've seen numerous posts on the forums regarding sql injection and I note that you say if standard server behaviors are used sql injection isn't possible - not sure if malicious javascript is the same though. I've also seen on a few other forums that it's not a good idea to validate name fields (although the characters I've disallowed shouldn't cause any problems). What are your thoughts?

Can I see a copy of the my account page? Are you using MySQLi? It should have automatic protection from this happening.

Glad to see I'm not the only one working on a Saturday! Yes, it's MySQLi. Page is attached - the only update I've made since they checked it is to add a restricted content validation on the Name and Firm fields.

That is odd. Can I get FTP access and a URL to reproduce it? I'll be able to track it down that way, but it looks like the code is right and should be protected automatically.

Yes of course, details in PM.

I can't seem to get in with that FTP information. Does it have IP restrictions that might be keeping me out?

That's odd, it's not too long since you last accessed it. Are you using SFTP, port 2020? If you could give me your IP I can ask my client to add it to the whitelist on the Cloudflare server, although not sure how quickly he'll be able to do it - might be tomorrow.

I was able to get FTP working with Dreamweaver. It didn't work with Filezilla. Can I get a url to reproduce the issue? I'll take a look.

Details in PM.

I see the issue. The problem stems from you using a session variable that is set on the login page from the database and displaying it.

The values set from the login page aren't encoded by default like values displayed from the recordset are. I think the best solution would be to just add the encoding when the value is displayed. So on line 170 of my-account.php instead of:

echo $arr[0];

use:

echo htmlspecialchars($arr[0]);