[
https://issues.apache.org/roller/browse/ROL-1766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anil Gangolli updated ROL-1766:
-------------------------------
Attachment: ROL-1766-weblog-vm.patch
Patch that can be applied to weblog.vm to workaround address this issue. This
patch is NOT needed if running build of Roller trunk after revision 668737,
which fixes this issue in Java code without needing to modify the weblog.vm
macros.
> Cross-site scripting vulnerability in Roller search term treatment
> ------------------------------------------------------------------
>
> Key: ROL-1766
> URL: https://issues.apache.org/roller/browse/ROL-1766
> Project: Roller
> Issue Type: Bug
> Components: Search
> Affects Versions: 2.3, 3.0, 3.1, 4.0
> Environment: any
> Reporter: Anil Gangolli
> Assignee: Roller Unassigned
> Attachments: ROL-1766-weblog-vm.patch
>
>
> The search term submitted to Roller as the value of the "q" parameter on
> search requests (/search?q=query+terms) is echoed back in the default search
> form without escaping HTML tags.
> This can be converted to a cross-site scripting attack.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
