Closed rwinch closed 11 years ago
The commit 5fb9416c did JS escaping on the searches, but there is no escaping of HTML which can lead to other types of attacks. For example, one could use this to perform a phishing attack. Try opening this link in FireFox:
http://www.grails.org/search?q=%3Cstyle%3Ediv%2C+%23footer+{+display%3A+none%3B+}%3C%2Fstyle%3E%3C%2Fsection%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Ciframe+height%3D%22800%22+width%3D%221800%22+style%3D%22overflow%3Ahidden%22+src%3D%22http%3A%2F%2Fevil.com%22%3E%3C%2Fiframe%3E
Imagine that link was an actual evil site that had a fake login form requesting the users credentials and submitted them to the evil site.
This commit HTML Escapes the query.
The commit 5fb9416c did JS escaping on the searches, but there is no escaping of HTML which can lead to other types of attacks. For example, one could use this to perform a phishing attack. Try opening this link in FireFox:
Imagine that link was an actual evil site that had a fake login form requesting the users credentials and submitted them to the evil site.
This commit HTML Escapes the query.