jimallman
commented
10 years ago @dleehr , thanks for catching this. Our normal page output is safely encoded, but these diagnostic print_r strings were unsafe. I'm now intercepting them and apply htmlentities() in each case.
I tested with OWASP ZAP, it found that the search.php form will accept javascript and render it back into the document, e.g.
/search.php?SortResultsBy=%3C%2Fpre%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cpre%3E
http://projects.webappsec.org/Cross-Site-Scripting http://cwe.mitre.org/data/definitions/79.html