Dear Doug,

thank you for your response.

Your module IS vulnerable, but you haven't tested the vulnerability correctly.
Please see my attached screenshots that confirm the vulnerability.

If you've done the testing in Chrome, open JS Inspector and you'll see that Chrome is automatically blocking XSS attacks, that's why you probably didn't notice the problem. Also, the "Comment" field on your website is not vulnerable with this code sample, but "Company" field is, see my other screenshot.

Our procedure is not to go into details and advices how to fix the subject vulnerability in your code, but to give you general suggestions what type of vulnerability your code has, and where to find details about it. I suggest you to take a closer look at documentation about "Reflective XSS", for example:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OTG-INPVAL-001%29

I will now list your extension on "Live VEL" list, which indicates that the extension is vulnerable in current version.

When you fix the vulnerability please let us know using the form on our website http://vel.joomla.org/extension-update-form , and after confirming it's fixed, we will move your listing to "Resolved VEL".


Thank you for your cooperation and best regards,

Bernard Toplak
Joomla! VEL Team
http://vel.joomla.org