With search enabled, using the "s=" URL parameter it is possible to inject and execute code in the client browser.
Example: https://my.hugo.page/?s=sxss1'<%2F"></b><img src=1 onerror=alert(document.domain)>
The "s=" parameter should be removed or fixed using encodeURIComponent() before inserting the query parameter into the DOM.
With search enabled, using the "s=" URL parameter it is possible to inject and execute code in the client browser. Example:
https://my.hugo.page/?s=sxss1'<%2F"></b><img src=1 onerror=alert(document.domain)>
The "s=" parameter should be removed or fixed using
encodeURIComponent()
before inserting the query parameter into the DOM.