Fix reflected XSS vulns in both default themes #48
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
In the
blog-list.phpview of both themes included in Gila (gila-blog and gila-mag), there is a lack of HTML entity encoding, which leads to reflected cross-site scripting being possible in the search results.An example of this can be in the console of the screenshot below when visiting the URL:
/?search=xss%22+onfocus%3D%22console.log%28document.domain%29%22+autofocus%3D%22trueThis pull request fixes both instances of this by parsing the user input through
htmlentitiesfirst.