HubSpot Ideas

ozgesila

Form character limit request for prevent SQL injection ve XSS

Forms should have character limits in order to prevent SQL injection ve XSS. I talked with 3 different Hubspot support agent, they all suggest me an add Javascript code. Client-side solutions, like JS, cannot solve this problem since they can be easily evaded by only using the browser. So, HubSpot should provide a server-side solution that only you can provide.

1 Comentário
STaruc
Colaborador(a)

Thanks for this idea. The vulnerability is that Hubspot forms allow for HTML tags to be submitted and rendered within form fields. Sanitizing fields server-side would be an appropriate solution. It's surprising that Hubspot allows this problem; the Hubspot blog even has a security article mentioning this vulnerability, and one security company even documented how Hubspot addressed this same problem in the Hubspot CMS system blog commenting system: https://www.contrastsecurity.com/security-influencers/hubspot-vulnerability-fixed-cross-site-scripti...