I just failed a PCI scan with this result:
Summary:
Cross-site scripting vulnerability in domain parameter to /whois-lookup/
Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_cgi_xssgeneric
I tried to add the widget to a page using the [whois-domain] shortcode, and I get a some kind of PHP/HTML output error. Pasting the visible output text:
Invalid Input!"; echo "
" . $result . "
"; } ?>And here is the HTML from that section:
</form>
<!--?
if($domain) {
$domain = trim($domain);
if(substr(strtolower($domain), 0, 7) == "https://") $domain = substr($domain, 7);
if(substr(strtolower($domain), 0, 4) == "www.") $domain = substr($domain, 4);
if(validate_ip($domain)) {
$result = get_ip($domain);
}
elseif(validate_domain($domain)) {
$result = get_domain($domain);
}
else
$op = "<span class='invalid-input'-->Invalid Input!";
echo "<pre class="result-pre" style="background:".get_option(" result_color_pic')."'=""><font style="font: 1em/150% Tahoma,Geneva,sans-serif;color:".get_option(" result_color_text')."'="">" . $result . "</font></pre>";
}
?>
<div class="invalid-wrap" style="font-weight:bold;color:red;" align="center"></div>Strange situation:
the plugin works as expected on one site but not on the other one.
This page is not totally empty (but neither is the one where it works) and the element is outputted at the top. (see another thread)
But on this page there is the form but after I submitted, form stays empty and no results are shown.
Any hints?
]]>No matter where I add the shortcode within other page content it always appears at the top of the page.
Is it possible to have the shortcode work inline so I can have other content above it?
Thanks
]]>Needs to be fixed!!
]]>Hi is there anyway to format the results so they don’t appear as one long block of text.
For example it would be nice to leave a blank line between the domain name and registrant details.
]]>Hi,
An excellent plugin but the plugin does not support the whois of the new gTLDs.
for example: .email, .enterprise
]]>