jaypatel512
commented
7 years ago Hey @DrHazemAli !
Thank you so much for your detailed review on XSS Vulnerability. We reviewed your PR as well as the issue, and we made sure that we are not having any such vulnerability in our SDK.
We try to keep samples simple and straight forward to help developers gain better understanding about our APIs, for the sake of clarity. We will merge your PR, and would appreciate if you could create PRs for any such other improvements for our samples.
DrHazemAli
Please pay some attention to the security!! I have find a Reflected XSS vulnerability in the merchant SDK. The vulnerability exists due to insufficient filtration of user-supplied data in token HTTP GET parameter that will be passed to merchant-sdk-php\samples\AccountAuthentication\GetAuthDetails.html.php. The infected source code is line 7, there is no protection on _GET[‘token’]; if _GET[‘token’] contains evil js code, line 21 will trigger un-trusted code to be executed on the browser side.