Possible XSS vulnerability?

Question

Possible XSS vulnerability?

davidhund opened this issue 13 years ago · 5 comments

I implemented Search Index in a site recently and already notice XSS attacks ("tries", I guess) popping up in the logs.

While I don't think there are serious issues one keyword does result in a XSLT error:

loadXML(): attributes construct error in Entity, line: 275
loadXML(): Couldn't find end of Start Tag keyword line 275 in Entity, line: 275

I am hesitant to post the triggering keyword but could mail you more details personally?

Answer 1 · 2011-12-17T18:22:49.000Z

Hi David.

nick [at] nick-dunn [dot] co.uk will reach me.

Thanks :-)

Answer 2 · 2017-04-03T07:59:53.000Z

@davidhund has this been resolved back then?

Answer 3 · 2017-04-03T09:18:45.000Z

Hi @animaux — that's a long time ago and I have not worked with Symphony much since then so I do not know. I believe @nickdunn was thinking about abandoning SI and moving to an ElasticSearch plugin. But I honestly would not know where things stand a.t.m.

Answer 4 · 2017-04-03T09:25:54.000Z

Thanks David. Nick is long gone from the Symphony CMS community. ElasticSearch is no option for my projects, so I’m trying to keep this one alive :) Just wanted to see if there was anything done about this back then.

Answer 5 · 2017-04-05T21:22:20.000Z

@animaux Try to wrap the values in cdata section. The xml failing to load is kind of normal when you input thing into it that is not valid.