I just wanted to inform you that the sample scripts you are distributing contain a multitude of serious and easily exploitable cross-site scripting security errors that could allow users who use the examples without modification on live sites to open up their contact forms to manipulation by a malicious user. The exploits could allow a blackhat to grab passwords or other sensitive information from unsuspecting users trying to sign up for a contact email list. For more information on the problem, you can read shiflett.org/blog/2005/dec/googles-xss-vulnerability
Specifically, the files simple_form.php and others that use form fields should never echo a $_POST variable directly, but should at the minimum escape the variable. The ConstantContact class does escape when sending the XML to the server, but even this is not entirely secure.
To secure the examples, 3 steps need to be taken:
1) add: header('Content-Type: text/html; charset=UTF-8'); to the top of the script
2) every echo $_POST needs to be changed to echo htmlspecialchars($_POST, ENT_QUOTES, 'UTF-8');
3) add an xml prolog to the generated xml <?xml version="1.0" encoding="UTF-8" ?> and change all htmlspecialchars($params); to htmlspecialchars($params, ENT_QUOTES, 'UTF-8');
With those three steps, the exploitable security holes will disappear.
Thank you for this feedback. We are implementing the changes in our PHP form immediately and will be creating an FAQ to assist customers who have already used the PHP script on their server with how to update it.
Please let us know if you have any other feedback on our sample code and we can certainly look into it for you.
View API documentation, code samples, get your API key.Visit Page
We want to hear from customers like you about your favorite features and how they have helped your business or organization. Tell us by answering a few questions in...Read More