search

tollwerk / TYPO3-ext-tw_lucenesearch

Simple and lightweight implementation of the Apache Lucene Index as frontend search solution for TYPO3. Created by Joschi Kuphal (@jkphl), licensed under the terms of the GPL v2 license.
http://typo3.org/extensions/repository/view/tw_lucenesearch/
GNU General Public License v2.0
4 stars 3 forks source link

Fix XSS vulnerability in searchresults #13

Closed GerDner closed 9 years ago

GerDner commented 9 years ago

a user may use htmlchars in the searchterm which are not escaped in the sprintffunction.

jkphl commented 9 years ago

@GerDner Sounds reasonable, thanks for the heads-up!

However, just off the top of my head: The way you fix the vulnerability would als lead to the text "Search for: ..." being htmlspecialchared, right? That might work with English (and German), but could lead to unexpected behaviour in other languages ... Wouldn't it be better to use something like this:

<h2 class="tx-twlucenesearch-headline"><f:translate key="search.searchfor" arguments="{0: searchterm -> f:format.htmlspecialchars(...)}"/></h2>

(Untested; not sure if you can use the inline syntax for the viewhelper like this. Maybe it rather has to be something like this: arguments="{0: '{f:format.htmlspecialchars(...)}'}")

GerDner commented 9 years ago

I can test this later and give feedback - thx for quick response

jkphl commented 9 years ago

:+1:

GerDner commented 9 years ago 
<f:translate key="search.searchfor" arguments="{0: '{f:format.htmlspecialchars(value: searchterm)}'}"/>

works fine

jkphl commented 9 years ago

@GerDner Excellent. Merged. And thanks again! :)