search

PiRSquared17 / activescaffold

Automatically exported from code.google.com/p/activescaffold
MIT License
0 stars 0 forks source link

XSS possibility with unescaped search parameter #731

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
> What steps will reproduce the problem?

1. Enter modified javascript tag message into search form with special
procedure (turn JavaScript OFF and submit search then turn JavaScript ON Again)
  ex. "><script>alert("test");</script>

2. Then the script will be executed
  ex. alert "test" dialog

3. This may cause Cross Site Scriptiong(XSS)

Easier way is:
http://localhost:3000/AS_CONTROLLER/show_search?_method=get&search=%22%3E%3Cscri
pt%3Ealert%28%22test%22%29%3B%3C%2Fscript%3E

> What is the expected output? What do you see instead?

 => I should see text-field with:
    "><script>alert("test");</script>

> What version (or revision) of the product are you using?

 => git-master (as of now - Feb/25/2010)

I found the following patch (just escaping params for value) will fix this
problem but there seem to be many other unescaped params like this.
If my worry is correct, I think the whole template files need to be checked.

Thank you very much

diff --git a/frontends/default/views/_search.html.erb
b/frontends/default/views/_search.html.erb
index 01b05c0..b47f40e 100644
--- a/frontends/default/views/_search.html.erb
+++ b/frontends/default/views/_search.html.erb
@@ -7,7 +7,7 @@
                     :failure =>
"ActiveScaffold.report_500_response('#{active_scaffold_id}')",
                     :update => active_scaffold_content_id,
                     :html => { :href => href, :id => search_form_id,
:class => 'search', :method => :get } %>
-  <input type="text" name="search" size="50" value="<%= params[:search]
-%>" class="text-input" id="<%= search_input_id %>" autocompleted="off" />
+  <input type="text" name="search" size="50" value="<%=h params[:search]
-%>" class="text-input" id="<%= search_input_id %>" autocompleted="off" />
   <%= submit_tag as_(:search), :class => "submit" %>
   <a href="javascript:void(0)" class="cancel" onclick="f =
this.up('form'); f.reset(); f.onsubmit();"><%= as_(:reset) -%></a>
   <%= loading_indicator_tag(:action => :search) %>

Original issue reported on code.google.com by oky...@gmail.com on 25 Feb 2010 at 3:50

GoogleCodeExporter commented 9 years ago 
Thanks, fixed in 806b5bd

Original comment by sergio.c...@gmail.com on 25 Feb 2010 at 9:49