> What steps will reproduce the problem?
1. Enter modified javascript tag message into search form with special
procedure (turn JavaScript OFF and submit search then turn JavaScript ON Again)
ex. "><script>alert("test");</script>
2. Then the script will be executed
ex. alert "test" dialog
3. This may cause Cross Site Scriptiong(XSS)
Easier way is:
http://localhost:3000/AS_CONTROLLER/show_search?_method=get&search=%22%3E%3Cscri
pt%3Ealert%28%22test%22%29%3B%3C%2Fscript%3E
> What is the expected output? What do you see instead?
=> I should see text-field with:
"><script>alert("test");</script>
> What version (or revision) of the product are you using?
=> git-master (as of now - Feb/25/2010)
I found the following patch (just escaping params for value) will fix this
problem but there seem to be many other unescaped params like this.
If my worry is correct, I think the whole template files need to be checked.
Thank you very much
diff --git a/frontends/default/views/_search.html.erb
b/frontends/default/views/_search.html.erb
index 01b05c0..b47f40e 100644
--- a/frontends/default/views/_search.html.erb
+++ b/frontends/default/views/_search.html.erb
@@ -7,7 +7,7 @@
:failure =>
"ActiveScaffold.report_500_response('#{active_scaffold_id}')",
:update => active_scaffold_content_id,
:html => { :href => href, :id => search_form_id,
:class => 'search', :method => :get } %>
- <input type="text" name="search" size="50" value="<%= params[:search]
-%>" class="text-input" id="<%= search_input_id %>" autocompleted="off" />
+ <input type="text" name="search" size="50" value="<%=h params[:search]
-%>" class="text-input" id="<%= search_input_id %>" autocompleted="off" />
<%= submit_tag as_(:search), :class => "submit" %>
<a href="javascript:void(0)" class="cancel" onclick="f =
this.up('form'); f.reset(); f.onsubmit();"><%= as_(:reset) -%></a>
<%= loading_indicator_tag(:action => :search) %>
Original issue reported on code.google.com by oky...@gmail.com on 25 Feb 2010 at 3:50
Original issue reported on code.google.com by
oky...@gmail.com
on 25 Feb 2010 at 3:50