We have integrated the cute editor for .net with our application.
Recently we have ran a security scan by using Acunetix tool and found the following alert in the report. The tool shows the cross site scripting affected in ../cuteeditor/dialogs/tag.aspx file.
Could you please provide how to avoid this security issue.
The report from the tool
Affected items:
/cutesoft_client/cuteeditor/dialogs/tag.aspx
Details:
URL encoded GET input Theme was set to Office2003_BlueTheme' onmouseover=prompt(919401) bad=' The input is reflected inside a tag parameter between single quotes.
Request headers:
(line truncated) ...S5DdXRlRWRpdG9yUHJvdmlkZXJzLkN1c3RvbWVyRGF0YUZpbGVTdG9yYWdlLCBDdXRlRWRpdG9yUHJvdmlkZX JzLCBWZXJzaW9uPTkuMi4wLjEyNDA4LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGwvRTpcS0 JEYXRhXGtub3dsZWRnZWJhc2VccHVibGljZmlsZXNcMTJcV2ViZmlsZXMPL3BmLzEyL1dlYkZpbGVzDy9wZi8xMi 9XZWJGaWxlcw8vcGYvMTIvV2ViRmlsZXMPL3BmLzEyL1dlYkZpbGVzDy9wZi8xMi9XZWJGaWxlcw8vcGYvMTIvV2 ViRmlsZXMr2EE!1aMzy4MQMr8PMdrNbxAuMGfEHw4r1icMVlJO9hg!2!2&Tab=Style&Tag=A&Theme=Office20 03_BlueTheme'%20onmouseover%3dprompt(919401)%20bad%3d' HTTP/1.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Accept: */*