search_index icon indicating copy to clipboard operation
search_index copied to clipboard

Published 20 hours ago verified publisher icon symphonists

Possible XSS vulnerability?

Open davidhund opened this issue 13 years ago • 5 comments

I implemented Search Index in a site recently and already notice XSS attacks ("tries", I guess) popping up in the logs.

While I don't think there are serious issues one keyword does result in a XSLT error:

loadXML(): attributes construct error in Entity, line: 275 loadXML(): Couldn't find end of Start Tag keyword line 275 in Entity, line: 275

I am hesitant to post the triggering keyword but could mail you more details personally?

davidhund avatar Dec 16 '11 18:12 davidhund

Hi David.

nick [at] nick-dunn [dot] co.uk will reach me.

Thanks :-)

nickdunn avatar Dec 17 '11 18:12 nickdunn

@davidhund has this been resolved back then?

animaux avatar Apr 03 '17 07:04 animaux

Hi @animaux — that's a long time ago and I have not worked with Symphony much since then so I do not know. I believe @nickdunn was thinking about abandoning SI and moving to an ElasticSearch plugin. But I honestly would not know where things stand a.t.m.

davidhund avatar Apr 03 '17 09:04 davidhund

Thanks David. Nick is long gone from the Symphony CMS community. ElasticSearch is no option for my projects, so I’m trying to keep this one alive :) Just wanted to see if there was anything done about this back then.

animaux avatar Apr 03 '17 09:04 animaux

@animaux Try to wrap the values in cdata section. The xml failing to load is kind of normal when you input thing into it that is not valid.

nitriques avatar Apr 05 '17 21:04 nitriques