[security] quick search and criteria display

[plegall]

We need to sanitize search criteria used in quick search before displaying on search_rules.php page.

Reported by @BlueTower

[plegall]

related to #548

[fgeek]

CVE-2016-9751 identifier has been assigned for this vulnerability.

[BlueTower]

Hello @plegall -

I believe this issue needs to reopened. I am still able to execute a payload on (http://piwigo.org/demo/search_rules.php?search_id=38739) using a payload such as:

<svg onload=alert&#40;1&#41>

Suggestions?

[fgeek]

@plegall Any comments? Can you take a new look and fix this in 2.9.3?

[TallGuysFreeADMIN]

Can anyone reproduce? I've tested for XSS many times (not just in piwigo), and the piwigo.org link by bluetower isn't showing any alert. Tested in Firefox, where XSS should work.

[plegall]

I can't reproduce neither. I close this already closed bug.