XSS issue with partials/simplesearch_searchbox.html

hibbitts-design / grav-theme-quark-open-publishing

A customized version of the Quark theme with Git Sync and 'chromeless' mode support.

http://demo.hibbittsdesign.org/grav-open-publishing-quark/

MIT License

21 stars 13 forks source link

XSS issue with partials/simplesearch_searchbox.html #1

Closed rhukster closed 6 years ago

rhukster commented 6 years ago

This theme has a custom simple search override, and it outputs the value without escaping it:

https://github.com/hibbitts-design/grav-theme-quark-open-publishing/blob/master/templates/partials/simplesearch_searchbox.html.twig#L12

compare this to the default file included in the simplesearch plugin:

https://github.com/getgrav/grav-plugin-simplesearch/blob/develop/templates/partials/simplesearch_searchbox.html.twig#L11

The lack of the |e escaping filter allows XSS attacks via the URL.

paulhibbitts commented 6 years ago

Thanks very much for the heads-up @rhuk, I will be releasing an update today with the fix (and also updating my older Antimatter Open Publishing theme that has the same issue).