Without seeing the larger context it's hard to say why your trap isn't working, but you've got the right idea. However, trapping for the full alert XSS string is pretty futile - you want to stop ANY script, not just the compliance test case. Your second condition - ATC([>],pcUsername)>0 - makes it redundant in any case. The thing is, you'll need to check all fields where the user can enter data that's later displayed on the HTML page.

I'll probably get in trouble with Rick for saying this, but I dealt with this issue by hacking the wwRequest class. There's an UnsafeCommandFilter method that's intended to filter out potentially dangerous Foxpro code - I just extended it to catch scripts as well by adding another check:

IF ATC("<SCRIPT",lcRetVal) > 0
RETURN "*** UNSAFE CONTENT ***"
ENDIF

--stein

Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>

The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)

We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.

Here is the code I am using to try and "trap" this request:

IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()

If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS

How can I prevent this request from being processed and make my site PCI compliant again?

Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Thanks!

---