[MGNLSTK-617] Possible content hi-jack via pre-filled search value entry Created: 05/May/10  Updated: 02/Apr/13  Resolved: 06/May/10

Status: Closed
Project: Magnolia Standard Templating Kit (closed)
Component/s: templates
Affects Version/s: 1.2.3, 1.3
Fix Version/s: 1.2.4, 1.3.1

Type: Bug Priority: Critical
Reporter: Jan Haderka Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
is duplicated by MGNLSTK-660 XSS leak in standard search field Closed
Template:
Acceptance criteria:
Empty

 Description   

Currently it is possible to overlay page content via search field in default branding template.

Workaround:

  1. in AdminCentral go to Templating Kit/Templates.
  2. in the template tree open the branding template at /templating-kit/templates/global/branding
  3. replace <input id="searchbar" name="queryStr" type="text" value="${ctx.queryStr!}" /> with <input id="searchbar" name="queryStr" type="text" value="${ctx.queryStr!?html}" />
  4. make sure "Enable template" checkbox is checked
  5. click Save

Generated at Mon Feb 12 07:28:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.