XSS issue with partials/simplesearch_searchbox.html

Question

XSS issue with partials/simplesearch_searchbox.html

Closed this issue 6 years ago · 1 comments

This theme has a custom simple search override, and it outputs the value without escaping it:

https://github.com/hibbitts-design/grav-theme-quark-open-publishing/blob/master/templates/partials/simplesearch_searchbox.html.twig#L12

compare this to the default file included in the simplesearch plugin:

https://github.com/getgrav/grav-plugin-simplesearch/blob/develop/templates/partials/simplesearch_searchbox.html.twig#L11

The lack of the |e escaping filter allows XSS attacks via the URL.

Answer 1 · 2018-08-18T14:32:36.000Z

Thanks very much for the heads-up @RHUK, I will be releasing an update today with the fix (and also updating my older Antimatter Open Publishing theme that has the same issue).