john_roberts Posted March 9, 2010 Share Posted March 9, 2010 You don't need to do anything but install it and turn it on in admin. It's an easy install with no room for error. Thus my quandry. I installed it. I turned it on in Admin. I still fail PCI compliance due to XSS vulnerability ======== I really appreciate being able to talk to the man who wrote this. Thank you for your response. I have just run some more experiments and using the "[w](o)%3Cr%3Ek|i*n^g" test string I can only get a cleaned ("working") result when I enter this into the credit card name field, at check out from the shopping cart. Every other entry data field I tested remains uncleaned. This proves that the routine works, it just isn't being called for every input data capture. My compliance test is identifying the (customer and admin) login routine for XSS vulnerability. Does any of this make sense? My assumption is that it would clean more than that one field. (I have no files excluded in admin.) I guess I need to dig back into the PHP code and see what is different about the CC name field that allows it to work, and everything else that doesn't? I believe there are some specialized validation routines to test CC numbers etc. Thanks for any help. John Roberts Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.