Closed nv1t closed 9 years ago
I haven't forgotten about this. I could fix it, but it didn't have any effect on pyvideo until we redid the infrastructure which is finally done.
I'm going to get to this asap.
So, this is goofy stuff. The title is generated in the view, not the template. Then there are template tags and a bunch of other complexity.
I did a "quick fix" of bleaching the query text before assembling the title. I think the better fix is to nix all that complexity so it's easier to reason about the output of templates. I contend that's better because it reduces the likelihood of these sorts of things. I created issue #273 to cover that.
There's a reflective XSS in the search.
http://www.pyvideo.org/search?models=videos.video&q=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Looks like the base template should be fixed.