Announcement

Collapse
No announcement yet.

Public Comment data filtered ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Public Comment data filtered ?

    The public comment on a payment page is subsequently displayed to the world. This behavior is typically viewed as a security hole and mitigated by filtering the input. Yes, I realize that a person would have to make a payment to get the comment to show, but stolen credit cards are not unknown. What does the C&P security team say about this ?

  • #2
    Good day!

    I am not sure I understand the question.

    A comment is a streamer comment that a donor may place to show on the fundraiser page or the organization donation page, similar to a comment one places in Google+ or Facebook or any other peer-to-peer fundraising page.

    What does this have to do with security?
    Regards,
    Click & Pledge Support Department

    On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

    Join us @ the educational webinars: https://clickandpledge.com/webinars/
    Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
    Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

    Comment


    • #3
      For a more detailed explanation - see https://www.owasp.org/index.php/Cros...Scripting_(XSS) and "Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." Your web site security people ought to be familiar with the concept, if you are not. Please ask them.

      Comment


      • #4
        Good day!

        We are fully aware of what you are discussing and the link you sent is not working.

        SQL Injection is not applicable as scrubbing is something we do in every field. C&P is PCI Level 1 certified and every aspect of our platform is tested against these type of kiddy attacks. We are also monitored 24x7 with live monitoring of all log files and much more.

        Every field is scrubbed but it has nothing to do with security. When you post to this forum the posts go to all developers & IT team. I am the head of security and as such I know so do not need to ask anyone.

        If you tell me what your concern is then I can answer your question. I still do not know what the question is.
        Regards,
        Click & Pledge Support Department

        On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

        Join us @ the educational webinars: https://clickandpledge.com/webinars/
        Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
        Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

        Comment

        Working...
        X