Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes #78 escape suggestion to avoid xss
  • Loading branch information
seancoyne committed Sep 4, 2018
1 parent c6e2115 commit b8f3d61
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion packages/forms/solrProSearch.cfc
Expand Up @@ -197,7 +197,7 @@
<!--- build the HTML and return it --->
<cfset var str = "" />
<cfsavecontent variable="str">
<cfoutput>Did you mean <a href="#arguments.linkUrl#">#suggestion#</a>?</cfoutput>
<cfoutput>Did you mean <a href="#arguments.linkUrl#">#application.stPlugins.farcrysolrpro.oCustomFunctions.xmlSafeText(suggestion)#</a>?</cfoutput>
</cfsavecontent>

<cfreturn trim(str) />
Expand Down

3 comments on commit b8f3d61

@webonix
Copy link

@webonix webonix commented on b8f3d61 Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jeffcoughlin

we changed to use arguments.q instead of suggestion

  •   	<cfoutput>Did you mean <a href="#arguments.linkUrl#">#ESAPIEncode('html', suggestion)#</a>?</cfoutput>
    
  •   	<cfoutput>Did you mean <a href="#arguments.linkUrl#">#ESAPIEncode('html', arguments.q)#</a>?</cfoutput>
    

@seancoyne
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would you suggest the user use the query they just used?

@webonix
Copy link

@webonix webonix commented on b8f3d61 Sep 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point - following up ...

Please sign in to comment.