christianbltr
commented
3 years ago In first short test I could not reproduce this. I tested in the current version (master branch of today) and in version 3.4.1 (both TYPO3 10.4.14). I tested with and without routing / speaking URLs activated.
When I add your example query parameter to the search page like this
/search?tx_kesearch_pi1%5Bsword%5D=1');alert('powthe whole query is treated as a search query which results in
Are you sure this is a ke_search issue? Maybe this issue is in your override template?
Please note that security issues should be reported to the TYPO3 security team: https://typo3.org/community/teams/security/extension-security-policy
mikestreety
Hello,
Background
I am currently on version 3.4.2 due to conflicts with the aforementioned
tt_newsindexer I've not had time to look at yet - seems to have been a busy month for me.We have just had a pen test run on one of our sites and a Cross-Site-Scripting (XSS) issue was raised. I'm currently in the process of deploying a "fix" to our site, so apologies if this has been fixed/mentioned elsewhere.
We are not using the Site config and our search doesn't have "pretty" URLs which, because of the
history.replaceStatein the Template is open to XSS.Example
This line here: https://github.com/teaminmedias-pluswerk/ke_search/blob/master/Resources/Private/Templates/SearchForm.html#L14
Seems to spit out the URL as is, which means if your URL has this at the end:
The alert is triggered:
This is obviously a mild example, but it could potentially have dangerous consequences - especially as it lets you render text on the page
As a quick/hotfix i've removed that script line from my template override. I've not looked into the code or anything for this - will try and have a poke around next week if it helps.
👍