symphonists / search_index

Search Index provides an easy way to implement high performance fulltext searching on your Symphony site
32 stars 21 forks source link

Possible XSS vulnerability? #33

Open davidhund opened 12 years ago

davidhund commented 12 years ago

I implemented Search Index in a site recently and already notice XSS attacks ("tries", I guess) popping up in the logs.

While I don't think there are serious issues one keyword does result in a XSLT error:

loadXML(): attributes construct error in Entity, line: 275 loadXML(): Couldn't find end of Start Tag keyword line 275 in Entity, line: 275

I am hesitant to post the triggering keyword but could mail you more details personally?

nickdunn commented 12 years ago

Hi David.

nick [at] nick-dunn [dot] co.uk will reach me.

Thanks :-)

animaux commented 7 years ago

@davidhund has this been resolved back then?

davidhund commented 7 years ago

Hi @animaux — that's a long time ago and I have not worked with Symphony much since then so I do not know. I believe @nickdunn was thinking about abandoning SI and moving to an ElasticSearch plugin. But I honestly would not know where things stand a.t.m.

animaux commented 7 years ago

Thanks David. Nick is long gone from the Symphony CMS community. ElasticSearch is no option for my projects, so I’m trying to keep this one alive :) Just wanted to see if there was anything done about this back then.

nitriques commented 7 years ago

@animaux Try to wrap the values in cdata section. The xml failing to load is kind of normal when you input thing into it that is not valid.