[MGNLSTK-660] XSS leak in standard search field Created: 08/Jul/10 Updated: 13/Jul/10 Resolved: 13/Jul/10 |
|
| Status: | Closed |
| Project: | Magnolia Standard Templating Kit (closed) |
| Component/s: | None |
| Affects Version/s: | 1.3.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical |
| Reporter: | Hay Kranen | Assignee: | Philipp Bärfuss |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | security, stk, xss | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
HTML content is not escaped in the two search fields in the default STK site (the default one at the top, and the one on the bottom on the results page). E.g, search for "><script>alert("xss");</script> This works on the live Magnolia-cms.com site: Related to issue |
| Comments |
| Comment by Philipp Bärfuss [ 13/Jul/10 ] |
|
Definitely not reproducible with 1.3.1. Test same request on demo: |