<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Tested on Mac OS X 10.10, seems to work in Firefox (41 and 44), but
not Chrome (48) nor Safari (9).<br>
<br>
(pickup.php, not pickup/php for anyone who wants to try)<br>
<br>
~Keith<br>
<br>
On 03/01/2016 02:14 PM, Chris Venter wrote:<br>
<span style="white-space: pre;">> Hi<br>
><br>
> Our security audit has highlighted a possible reflected cross
site scripting error on the pickup.php page,to test we ran<br>
><br>
> <a class="moz-txt-link-freetext" href="https://server_name/pickup/php?emailAddr=test">https://server_name/pickup/php?emailAddr=test</a>"
/><script>alert('XSS Test')</script><br>
><br>
> Can anyone else confirm if this is an issue?<br>
><br>
> Thanks<br>
> CJ<br>
><br>
><br>
> _______________________________________________<br>
> ZendTo mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
> <a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
<br>
iQEcBAEBCAAGBQJW1hMwAAoJEMdFVhhDm2SFxyEH+wVvzU2y4/Th4oMZKZruI+cb<br>
At3pe8Sh/pEbMYgLUr7jpnuRKMPXs2Q+W7r0f9m/7P8s0TYWsfpOBhW7v2FC7uQ5<br>
wep0NfZUByqFZpARocE9WB/2zRxh6oxOOy1RCcZjjnCNKBF2aVBvJUF7kfl2O57O<br>
CwsWnXfosMNwBOsLTWzbSaV+FsoPLX4Ow5RH/cI1eBd64TLxOr+tmIsXatp+vua7<br>
dtilpqxehF1REMyZyJx0e6u2pTdrsFJ5HoPinkk8GbsS2Q+hFfctan7NMsUr2gdP<br>
BBmnSlSvAd3nzlFhlSApIA/+JbfSD6eooDcUxxNWJhWZP32s31+uTcg+OyIJWf8=<br>
=tpYG<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>