Closed leonjza closed 7 years ago
This PR should fix a simple XSS bug that could occur due to untrusted HTML entities being reflected in the value field of the search input.
value
To reproduce, search for "><script>alert(1)</script>:
"><script>alert(1)</script>
With this PR applied, this simple PoC should no longer be possible:
Thanks for catching and fixing this @leonjza
This PR should fix a simple XSS bug that could occur due to untrusted HTML entities being reflected in the
value
field of the search input.To reproduce, search for
"><script>alert(1)</script>
:With this PR applied, this simple PoC should no longer be possible: