McAfee PCI scan says there is a Cross Site vulnerability with this code:
<input type="hidden" name="referer" value="<?php echo Mage::helper('core/url')->getCurrentUrl() ?>" />
and also with this code:
<meta property="og:url" content="<?php $url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; echo $url; ?>" />
A little intructions from McAfee has this:
[B]When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with <
Remove > input and replace with >
Remove ' input and replace with '
Remove " input and replace with "
Remove ) input and replace with )
Remove ( input and replace with ([/B]
I have tried to replace some characters but they don't work.
How does one go about fixing these issues?
Wrap your echo in htmlentities using the ENT_QUOTES option.
It appears this line of code wasn't the problem but a from I was working on.