This is not a problem only with the search field. It's a security policy that XWiki allows it's users to run script. In syntax 1.0 you are allowed to type HTML (and thus script) into the document, in syntax 2.0 you can use HTML in the document by invoking the HTML macro.
My opinion is that to prevent users from running script you would have to set up an output filter such as Apache mod_filter and implement a policy which blocks all script which is in parts of the page which are user editable. Caleb Ivan Levashew wrote: > Joel Forsberg wrote: >> Do you happen to know the JIRA ticket for this bug? (if there is one?) >> > http://jira.xwiki.org/jira/browse/XE-24 but it is for previous search > engine. > >> The {pre} seems to dodge some of the unwanted effects, but in turn makes >> further editing the script difficult. Next time I edit the {pre} seems to >> have >> disappeared, instead leaving a <p>-tag artifact depending on circumstances. >> >>> CrossSiteScripting example: <script>alert('I pwnd U')</script> >>> => bad, bad, bad >> That is exatly what I would like to avoid, hehe. :) >> > _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
