Closed rhukster closed 6 years ago
This theme has a custom simple search override, and it outputs the value without escaping it:
https://github.com/hibbitts-design/grav-theme-quark-open-publishing/blob/master/templates/partials/simplesearch_searchbox.html.twig#L12
compare this to the default file included in the simplesearch plugin:
https://github.com/getgrav/grav-plugin-simplesearch/blob/develop/templates/partials/simplesearch_searchbox.html.twig#L11
The lack of the |e escaping filter allows XSS attacks via the URL.
|e
Thanks very much for the heads-up @rhuk, I will be releasing an update today with the fix (and also updating my older Antimatter Open Publishing theme that has the same issue).
This theme has a custom simple search override, and it outputs the value without escaping it:
https://github.com/hibbitts-design/grav-theme-quark-open-publishing/blob/master/templates/partials/simplesearch_searchbox.html.twig#L12
compare this to the default file included in the simplesearch plugin:
https://github.com/getgrav/grav-plugin-simplesearch/blob/develop/templates/partials/simplesearch_searchbox.html.twig#L11
The lack of the
|e
escaping filter allows XSS attacks via the URL.