You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.
To Reproduce
For example, try this path on any VIVO running the latest code:
{vivo url}/search?querytext=</script><script>alert("uh%20oh");</script>
Expected behavior
The arbitrary javascript passed via the URL should not be executed
Screenshots
Environment (please complete the following information):
Describe the bug
This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.
To Reproduce
For example, try this path on any VIVO running the latest code:
{vivo url}/search?querytext=</script><script>alert("uh%20oh");</script>
Expected behavior
The arbitrary javascript passed via the URL should not be executed
Screenshots
Environment (please complete the following information):
Additional context
https://github.com/vivo-project/Vitro/blob/03517df59ab02108f81f19d8ff383e20f9c556ca/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl#L55
The text was updated successfully, but these errors were encountered: