5
Currently it is by default possible to enter a script in text-input fields and textarea fields. It should be possible (without coding) to do not allow special characters input in form fields, and only allow it by allowing it explicitly.
Probably also a regex would help (like in ClickDimensions):
Here for each field a "Validation"-section exists. You can choose from an existing predefined pattern or enter a custom regex and then define the error message.
For email fields is the default existing pattern choosen, but you can definie your own regex if you want.
Background: we had a penetration test for one of our customers and the result was that it was possible to enter script in the fields. This allows attackers to run scripts through the name variable and can be later used in the personalize content in the email.
Probably also a regex would help (like in ClickDimensions):
Here for each field a "Validation"-section exists. You can choose from an existing predefined pattern or enter a custom regex and then define the error message.
For email fields is the default existing pattern choosen, but you can definie your own regex if you want.
Background: we had a penetration test for one of our customers and the result was that it was possible to enter script in the fields. This allows attackers to run scripts through the name variable and can be later used in the personalize content in the email.
STATUS DETAILS
Planned
2023 Release Wave 1
Administrator on 8/1/2022 1:34:10 PM
Thank you for your feedback. We prevent potential malicious script execution by escaping the input value. Therefore it is not possible to execute the script. Could you please provide more details on the penetration test findings? Thank you. Sincerely, Petr Jantac, Microsoft