search

bellroy / lesswrong

Less Wrong platform
http://lesswrong.org/
Other
45 stars 23 forks source link

XSS in search page #545

Closed m1el closed 8 years ago

m1el commented 8 years ago

It is possible to execute arbitrary JavaScript code by providing specifically crafted url.

http://lesswrong.com/search/results?q=%3C/script%3E%3Cscript%3Ealert(%271%22;%27)//

wezm commented 8 years ago

Thanks for letting us know.