Skip to content
KSEF-BUS-192 SECURITY Warning KSeF Guard Only

Script injection pattern in invoice text fields

Wzorzec script injection w polach tekstowych faktury

Problem

An invoice text field contains script code patterns (e.g. JavaScript, HTML event handlers). This may indicate an XSS attack attempt or accidental paste of code.

How to Fix

Check item descriptions and other text fields — remove any JavaScript code and HTML event handlers. Invoice fields must contain plain text only.

Source Reference

KSeF Guard security heuristic (script injection prevention)

View source

Source Quote

“Invoice text fields must not contain script injection patterns (script tags, javascript:, etc.).”
Description SHA-256: 45f403e515ac…

Justification

FORMAT

Legal Basis Chain

1

KSeF Guard — XSS / script injection prevention

KSeF Guard — prewencja XSS / script injection

“[KSeF Guard heuristic] Invoice text fields in the FA(3) schema are of xsd:string type. Scripts and HTML event handlers are not explicitly prohibited by the VAT Act but represent a classical XSS attack vector against systems that display invoice content in a browser (web reports, dashboards, email previews). Guard detects potentially dangerous patterns before the document reaches presentation layers.”
KSeF Guard security heuristic (script injection prevention)