Protecting PayPal donation form from XSS - CodeIgniter

Question

I'm really paranoid about whether my donation form is safe from XSS or not (maybe I've been reading too many XSS articles). I've used the button generator provided by PayPal and inserted that into my page, but I also added a select element which has the 'item_name' value as its name attribute (one of PayPals html values):

ie like this:

<select name="item_name">
<option>...</option>
...
</select>

My first concern is whether that okay to do, because I'm storing the donate button in my account as a saved button, and PayPal says to put the code they give you "as-is" into your page, without alteration. I know its self evident, but its just a cheeky select element that'll make a better user experience :P. Is that okay?

Another question I want to ask is should I make the action attribute on the form that PayPal has given me point to a function in my controller which sanitizes the select elements value using htmlspecialchars() (is it even necessary to check the select element for such a purpose?), and in that function somehow point back to the PayPal url?

I don't have any other form on my website apart from an email me form, which I will apply XSS filtering to, but this PayPal form has got me confused as to how I need to protect it.

Answer 1

If you are not taking input from the client and displaying it on your website, you do not need to worry.

The two primary cases of XSS would be database and request based. In a database-based system, an attacker submits malicious code to a publicly displayed field (comment form, something along those lines). Then, whenever the data from this form is display, the code is run - assuming the database is not properly sanitized.

The other method would be XSS via a GET request. An attacker sends a victim a link to your site with malicious code as a parameter in the URL. If this parameter is displayed on the page and not properly sanitized, XSS can occur.

echo "You just bought a " . $_GET['itemname'];

You should not need to worry in your case, and don't bother sending to a controller to sanitize first - PayPal takes care of that themselves.

Additional note: You don't need to worry about XSS in your email form, Javascript is not run by mail clients. What you do need to worry about is header injection .

Answer 2

PayPal form (html) can't be changed using XSS unless intruder gets access to your backend where you have option to change those HTML pages that are displaying PayPal form. But in this case the PayPal form is not what you should be worried about. By the way, it's OK to think like you did at this case, security is at first place.