I have a form on the mobile version of a page on my site that starts with this HTML: <select id="selectItemToUrl" onchange="if (this.value) window.location.href=this.value"> <option value="contact-us">Ball</option> --lots more options below---- But when I try to save it my hosting company's firewall blocks me from saving it saying that an XSS attack was detected. Is using this kind of redirect just causing a false positive or am I really leaving my site open to an XSS attack if I use this redirect?
it's depends on the form on your site. For exmple, if it generates with help of php framework and can be filled through the GET, so then it can be xss. If it static and not working with user requests you shouldn't worry.
It's not that much critical issue with Static site, for the dynamic site, there is deferent kind of XSS vulnerability, its critical issue if attacker able to inject command ( XSS Command injection )
Regardless of if it's a security issue, you're taking a huge dump on accessibility with that since scripting off, you have no navigation. /FAIL/ at web development. You want <option> that behave like <a>nchors, use a bunch of anchors and then use CSS to mimic the behavior of a dropdown! This type of navigation isn't even JavaScript's flipping JOB! <div class="anchorSelect"> <input type="checkbox" id="anchorSelect_1" hidden> <h2><label for="anchorSelect_1">Select Page</label></h2> <ul> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> <li><a href="contact-us">Contact Us</a></li> </ul> <!-- .anchorSelect --></div> Code (markup): /* Assumes a reset is in use, so all margins/paddings are zero */ .anchorSelect { position:relative; display:inline-block; font:normal 1em/1.5em arial,helvetica,sans-serif; } .anchorSelect h2 { display:inline-block; font:normal 1em/1.5em arial,helvetica,sans-serif; } .anchorSelect h2 label { display:block; background:#FED; padding:0.25em 0.5em; border:1px solid #000; } .anchorSelect h2 label:after { content:"\25BC"; padding-left:0.5em; } .anchorSelect ul { box-sizing:border-box; list-style:none; position:absolute; left:-999em; top:2em; min-width:100%; } .anchorSelect input:checked ~ ul { left:0; background:#EEE; border:1px solid #000; } .anchorSelect input:checked + h2 label:before { content:""; position:fixed; top:0; left:0; width:100%; height:100%; } .anchorSelect a { display:block; padding:0.25em 0.5em; text-decoration:none; color:#000; } .anchorSelect a:active, .anchorSelect a:focus, .anchorSelect a:hover { background:#00C; color:#FFF; } Code (markup): No scripting needed, gracefully degrades so the anchors will still work even when CSS isn't available, and you can style it however you like unlike OPTION. The "hidden" attribute making the "abuse" of an INPUT checkbox no longer an accessibility woe.
css only dropdowns don't work well on mobiles. They open just fine but can't be closed. I prefer css/checkbox ones. May use yours in some of my projects if you don't mind.
Mine can. Tap either the text that opens it, or anywhere outside the dropdown. that's what the :before generated content is for. Position:fixed full screen so clicking anywhere outside the absolute positioned UL will close it. Was actually one of my biggest complaints, so rather than continuing to complain about it, I did something about it. This could also be leveraged so that on small displays it opens as a modal. I've been using that trick more and more with hamburger menus as it seems far more useful to have a styled modal than try to drop-down or insert the content on the page. -- edit -- oh wait, you meant ones that rely on just :hover, didn't you? Yeah, those suck in the age of touch interfaces. We can do better! Oh, and... I don't post code online for it not to be used.
I know this is a old post. Just for information. this.value can be easily manipulated on the client side and can be used to redirect to a malicious site. With this code snippet, cant tell precisely. It is possible to generate a link having your website, but clicking can redirect to a malicious site. So, imagine a mail asking users to reset password but with a manipulated link. All users who click on the link will get infected.
Your HTML tags on the back-end need to be encoded to mitigate XSS vulnerability. It those tags are already encoded then it's likely a false positive