search

salesforce / vulnreport

Open-source pentesting management and automation platform by Salesforce Product Security
http://vulnreport.io
BSD 3-Clause "New" or "Revised" License
592 stars 155 forks source link

Fix xss bug in search results. #11

Closed leonjza closed 7 years ago

leonjza commented 7 years ago

This PR should fix a simple XSS bug that could occur due to untrusted HTML entities being reflected in the value field of the search input.

To reproduce, search for "><script>alert(1)</script>:

screen shot 2016-12-22 at 11 24 31 am

With this PR applied, this simple PoC should no longer be possible:

screen shot 2016-12-22 at 11 20 27 am
tbach commented 7 years ago

Thanks for catching and fixing this @leonjza