team4alfanous team mailing list archive

Thread
Date

[Bug 939115] Re: the url "http://alfanous.org/?search=" does not filter input and accepte js code

To: team4alfanous@xxxxxxxxxxxxxxxxxxx
From: Assem Chelli (عاصم شلي) <assem.ch@xxxxxxxxx>
Date: Sun, 10 Feb 2013 07:48:46 -0000
Reply-to: Bug 939115 <939115@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: alfanous
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Alfanous
team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/939115

Title:
  the url "http://alfanous.org/?search="; does not filter input and
  accepte js code

Status in Alfanous  - Advanced Quranic Search Engine:
  Fix Released

Bug description:
  When some one do a search like http://alfanous.org/?search="test"; the word test is 
  printed in the page without proper encoding and the parameter search does not filter
  what it take as kayword, example if you replace "test" by "<script>alert(1)</script>"
  you'll see the result, so the website is vulnerable to the most basic xss attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/alfanous/+bug/939115/+subscriptions

References

[Bug 939115] [NEW] the url "http://alfanous.org/?search=" does not filter input and accepte js code
From: z, 2012-02-22