Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar

Security : Server side validation / SQL injection / XSS

Anonymous
Not applicable
‎11-18-2013 02:56 AM
‎11-18-2013 02:56 AM

Hi,

Our security scan on Marketo form is now revealing that Marketo form accepts invalid inputs such as HTML code etc.For example, <script>Alert(‘Hacked’);

This flaw may cause several security issues, such as SQL Injection, Cross site scripting (XSS), etc.

I do many researches on Marketo community and find no articles talking about how Marketo handle such invalid inputs/SQL injection/XSS on Marketo form.

Does Marketo have server side validation or any security mechanisms to validate invalid inputs and mitigate risks such as SQL injection, Cross site scripting (XSS), etc.? Any suggestion to overcome this security flaw is appreciated.

Thank you in advance for all comments.
Regards,
Taworn D.

Tags (1)
0 Likes
6,311
Reply
27 REPLIES 27
Anonymous
Not applicable
‎04-06-2017 09:46 AM
‎04-06-2017 09:46 AM

Might work, if your form design tool was able to create a form that looked like it belonged in the 21st century. We stopped using your form designs years ago because it was nigh unto impossible to make them look and act the way modern forms should. But that's a different topic entirely.

0 Likes
4,940
Reply
Hobie_Thompson1
Level 4
Level 4
‎04-06-2017 10:02 AM
‎04-06-2017 10:02 AM

The option to edit the CSS of a form​ or alternatively use the Mucnhkin Javascript API​ should cover nearly every form use case and allow for snazzy, elegant, good looking forms.

0 Likes
3,495
Reply
Anonymous
Not applicable
‎04-18-2017 07:15 AM
‎04-18-2017 07:15 AM

They don't. The form markup Marketo emits might have been acceptable a decade ago. Today it's primitive and forestalls you from using any of several currently acceptable approaches to form design (you can't even set a placeholder attribute, fer cryin outloud, let alone add a classname or data-attribute your site design would like to see) no matter how you edit the CSS. And the hooks in the CSS are too limited to let you fit it into a site design of any size or complexity without spending a lot of time developing, debugging, and maintaining two completely separate codebases. The Marketo form tools smack of either arrogance ("You will use only the subset of classes and valid HTML attributes that we deign proper for you to use") or incompetence ("We couldn't figure out how to concatenate strings so you can't add your own class names or attributes"). Responsive, Bootstrap-enhanced landing pages -- "Yes!" says Marketo. But perish the thought they actually let you use a form design that integrates well and cleanly into your site design, especially if the site design is built on Bootstrap! Let that sink in. There really is no good way to build a form using Bootstrap for your Bootstrap-based Marketo landing page. And that's been known for years, yet nothing has been done, despite the fact most open source CMS's and frameworks solved that problem long ago, so the code is right there, available for study.

3,495
Reply
Kenny_Elkington
Marketo Employee
Marketo Employee
‎07-29-2014 04:02 PM
‎07-29-2014 04:02 PM
Hi Domenic,

Could you please log a support ticket demonstrating your concerns with regard to any potential XSS vulnerabilities?
0 Likes
4,941
Reply
Anonymous
Not applicable
‎07-29-2014 01:18 PM
‎07-29-2014 01:18 PM
An old issue, but I have seen the same problem. Any repsonse from Marketo?
0 Likes
4,941
Reply
Anonymous
Not applicable
‎03-13-2014 02:46 PM
‎03-13-2014 02:46 PM
I have the same concern.
Can we disable form fields from allowing html?
0 Likes
4,941
Reply
Anonymous
Not applicable
‎11-21-2013 08:59 AM
‎11-21-2013 08:59 AM
to follow the discussion
0 Likes
4,941
Reply
Home