[opencms-dev] help with escaping search query in Opencms 10.0.0

Gratian Francis gfrancis2 at cancercare.mb.ca
Fri Jul 26 16:49:48 CEST 2019 

Hi List,

So I'm still using OpenCMS 10.0.0 as I'm encountering issues with the upgrade to 11, however with my current install of 10, I'm noticing in the site search that JavaScript script can be run from the site search input for example  if someone were to search the following  "><script type="text/javascript">alert("hello");</script> the alert is executed. I'm using a cloned version of the Apollo template and have not made any changes to the jsp-search-formatter.jsp

>From what testing I've done I believe the issue arises due to the beginning characters the "> not being escaped properly as searching only <script type="text/javascript">alert("hello");</script> does not execute the script...
Gratian Francis
Junior Programmer Analyst
CancerCare Manitoba
CC40-825 Sherbrook Street
Winnipeg, MB R3A 1M5
Cell: 204-794-1230
gfrancis2 at cancercare.mb.ca<mailto:gfrancis2 at cancercare.mb.ca>

[CCMB-transparent-small]

Planned Absences 2019:
July 2nd
July 19th
Afternoon of August 30th

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20190726/ce3bf926/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20387 bytes
Desc: image001.png
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20190726/ce3bf926/attachment.png>
-------------- next part --------------
This email and/or any documents in this transmission is intended for the addressee(s) only and may contain legally privileged or confidential information.  Any unauthorized use, disclosure, distribution, copying or dissemination is strictly prohibited.  If you receive this transmission in error, please notify the sender immediately and return the original.

Ce courriel et tout document dans cette transmission est destiné à la personne ou aux personnes à qui il est adressé. Il peut contenir des informations privilégiées ou confidentielles. Toute utilisation, divulgation, distribution, copie, ou diffusion non autorisée est strictement défendue. Si vous n'êtes pas le destinataire de ce message, veuillez en informer l'expéditeur immédiatement et lui remettre l'original.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20190726/ce3bf926/attachment-0001.htm>

More information about the opencms-dev mailing list