Search XSS vulerability

gethugothemes / hugo-modules

30+ Powerful Hugo Modules Created By Gethugothemes.

https://gethugothemes.com/hugo-modules

MIT License

111 stars 49 forks source link

Search XSS vulerability #22

Closed ma-ha closed 11 months ago

ma-ha commented 11 months ago

With search enabled, using the "s=" URL parameter it is possible to inject and execute code in the client browser. Example: https://my.hugo.page/?s=sxss1'<%2F"></b><img src=1 onerror=alert(document.domain)>

The "s=" parameter should be removed or fixed using encodeURIComponent() before inserting the query parameter into the DOM.

ma-ha commented 11 months ago

This fix works: https://github.com/gethugothemes/hugo-modules/commit/713e4f9de90e5c359a53697334c6cbfc050e7bd3

ma-ha commented 11 months ago

This fix is better: https://github.com/ma-ha/hugo-modules/commit/249f841a33d02893dd1424baa05cc11f8a47af7f

tfsomrat commented 11 months ago

Hey @ma-ha , i have added the changes https://github.com/gethugothemes/hugo-modules/commit/37017d01a181089a951e8f5d0a16c89ce234688e

thanks