I have created a .phtml and a model for getting data from database in a cms page in Magento EE. It basically gets data about city from the database, and just like google search the parameters are passed in to url and get the result and show on the page.
Now, the problem arise when i apply XSS on it for security reasons. I am trying to prevent it from XSS attack for which i am using the following code
$formKey = $this->getRequest()->getParam('formKey');
if($formKey != Mage::getSingleton('core/session')->getFormKey()){
exit;
}
but adding this didn't work for me. asthe exit is executed when i call the template file in the cms page.
Any help would be highly appriciated in this regard. Thanks in advance
Answer
You are misunderstood with XSS and CSRF, what you are trying to achieve is to protect CSRF attacks,
You can protect CSRF by calling a _validateFormKey() method
if (!$this->_validateFormKey()) {
exit();
}
No comments:
Post a Comment