sample PHP script has XSS vulnerability

Occasional Participant

sample PHP script has XSS vulnerability


I just wanted to inform you that the sample scripts you are distributing contain a multitude of serious and easily exploitable cross-site scripting security errors that could allow users who use the examples without modification on live sites to open up their contact forms to manipulation by a malicious user.  The exploits could allow a blackhat to grab passwords or other sensitive information from unsuspecting users trying to sign up for a contact email list.  For more information on the problem, you can read

Specifically, the files simple_form.php and others that use form fields should never echo a $_POST variable directly, but should at the minimum escape the variable.  The ConstantContact class does escape when sending the XML to the server, but even this is not entirely secure.

To secure the examples, 3 steps need to be taken:

1) add: header('Content-Type: text/html; charset=UTF-8'); to the top of the script

2) every echo $_POST needs to be changed to echo htmlspecialchars($_POST, ENT_QUOTES, 'UTF-8');

3) add an xml prolog to the generated xml <?xml version="1.0" encoding="UTF-8" ?> and change all htmlspecialchars($params); to htmlspecialchars($params, ENT_QUOTES, 'UTF-8');

With those three steps, the exploitable security holes will disappear.


Hi Greg,


Thank you for this feedback.  We are implementing the changes in our PHP form immediately and will be creating an FAQ to assist customers who have already used the PHP script on their server with how to update it.  


Please let us know if you have any other feedback on our sample code and we can certainly look into it for you.  

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page