Description
This article describes how to handle the error 'The string contains XSS vulnerability characters' encountered when setting up a captive portal on a FortiGate device using the special character '#'.
Scope
FortiOS.
Solution
Captive portal is setup for Wi-Fi users on a FortiGate and users are presented with a captive portal page upon connecting to the Wi-Fi. However, after entering credentials, an error message appeared, stating 'space_id in an integer and greater than 0'.
The issue arises from the requirement to define the full URL, 'https://internet.abc.com:4201/#/login?%7C=15&cid=54394', in the captive portal login page configuration.
However, this URL contains special characters: specifically '#', which FortiGate identifies as a potential XSS vulnerability. When attempting to add this URL, the system returns the error: 'The string contains XSS vulnerability characters'. See below:
The issue occurs even when using the CLI.
set security-external-web internet.abc.com:4201/#/login%7C=15&cid=543
The string contains XSS vulnerability characters
value parse error before 'internet.abc.com:4201/'
Command fail. Return code -173
When the URL is added in this format 'https://internet.abc.com:4201/login?%7C=15&cid=54394' after removing the special characters '#', it is successfully saved in the FortiGate configuration. However, the issue remains that when the user tries to login via captive portal, the page URL is received as 'https://internet.abc.com:4201/#/login' without the space ID. In the application side, without the space ID, the user will not be allowed to authenticate.
Even when the url "https://internet.abc.com:4201/login?%7C=15&cid=54394" is open (without '#' included) from outside network excluding FortiGate it gets redirect to "https://internet.abc.com:4201/#/login" without space ID. Only when # is present then it is reflecting the space ID.
It is therefore necessary to include the character '#' in the security-external-web from application point of view, as that includes the space ID which makes the application side authenticate the user.
'The reason for not allowing the '#' symbol is due to the cross site scripting vulnerability check (the list of characters includes '<>()#\"'') against user configured strings. This is also evident from the error message that appeared in the console: 'The string contains XSS vulnerability characters'.
Note that this is note an issue from the FortiGate side. FortiGate will not allow '#' due to the cross site scripting vulnerability.
To resolve this issue, encode the URL appropriately to avoid XSS vulnerability detection. Alternatively, work with the application provider to explore whether a version of the URL without these special characters is available for use in the captive portal configuration.
