We are looking to adopt NopCommerce and completed an Acunetix security scan which flagged the following (repetitive) issue:
/100-physical-gift-card
Alert group Cross site scripting
Severity High
Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.
Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page
Alert variants
Details URI was set to "onmouseover='12Ar(9083)'bad="
The input is reflected inside a tag parameter between double quotes.
GET /100-physical-gift-card?"onmouseover='12Ar(9083)'bad=" HTTP/1.1
Referer: http://demostore.directfocus.com/
Connection: keep-alive
Cookie: .Nop.Customer=21cce335-8177-4166-8b61-
1cc3fb2cbf59;.Nop.TempData=CfDJ8IZb31yzv8RPiDxnHqhSBYU41YbLQ2pkZDkhaqr5i2u5eWy4lL2ZKPllUnWH0
_TFo7EBK8a7-
IcaOdZzT9ky6nOG1f9kxLnq_OXGHun7qezLE6f2I1QBm0GFVoZfEBo_coKW3uIjo_3808r03TmVU_nlOMPF3f5jNMtCX
_fNao7dBYkLF4yXSni1PuSv5utfH1Tr8FL4wJHZYur178f9JYAV0azLPVXkBUNiFDA92nITenqB7kMvcb5RSEzC5UncD
u9jK8CdFK8EDRblDrpu24RJ-av_H8VqXBL1h6jMar_;.
Nop.Antiforgery=CfDJ8IZb31yzv8RPiDxnHqhSBYUMgrouQov4KitH05Ve6hZn3lNFdAZb0JKiVSwa2BhzVd4W
HU1lWP4Fye43urEiRYClDz3Xn0IlE3i2vAZXZ-_FETFeHTh_cGIWpaDld-KMGhChhxAaUA0flXMwURkfWI;.
Nop.ComparedProducts=;.Nop.RecentlyViewedProducts=45%2C9%2C27;.Nop.Authentication=C
fDJ8IZb31yzv8RPiDxnHqhSBYV6zlRZBNRTI3gjuuCje1tJoR2ffChXcnSJHeHddbAkio--
g5EawoeCMzVQot8U7FEBO899SOfUQ8Q16Ug2oLM5DaJWFMwcCP9kk0N_PfIsm3QASjDPL2PtAOerXl3nYHymxF62FfXF
8iRu84FUy4L2YLCDBoGZVooTMJtvrlFUYZjw1Yl52YHsX9O90NuAsQHST4x41tDrboyiw369jnj37HxB1uupdW8Y6soPciO1mUs-
mxh_OBe5GQtpsqJauqhC7UAttAjZCz9m-
xlsl9gvuVlOJgWHr_GUInWbFuqW-st0B12HMCu_bycKozheFbr51fPDmjOGhnj-
WY5KutOAFwWt4qMZ1NA2A16YxlOWm-8g43g1za7UGYh4w9cbSKoZFhtftvdz3K62H32mfJ9oO8olfz9yYAXt9jyt-
Bvoi2hPNQpkIZy8U4bM5tSIRIjnLvs3MoedbwZ9a8BcvnA2ho_sgmZArhfE6WOnopNxbHvGYPRrn3819mZhs-
ZQw7HJjai07VeXJylqrrzvjBCitwEt97_w2I5taEp6Jayw
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host: demostore.directfocus.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Is this a known issue and will it be resolved in an upcoming release?