You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In html_output, the function tep_draw_input_field uses tep_output_string($value) to write a user-chosen string to the value-attribute of an input field. tep_output_string translates " to " but < and > are not translated.
Applied to the search field, this has the effect that for example <script> remains unencoded in the value. The encoded quotation mark ensures this is not immediately useable for XSS, but still it is unfortunate.
In html_output, the function tep_draw_input_field uses tep_output_string($value) to write a user-chosen string to the value-attribute of an input field. tep_output_string translates " to " but < and > are not translated.
Applied to the search field, this has the effect that for example <script> remains unencoded in the value. The encoded quotation mark ensures this is not immediately useable for XSS, but still it is unfortunate.
Example:
https://demo.oscommerce.com/advanced_search.php?keywords=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&search_in_description=1
Kudos to https://www.openbugbounty.org/researchers/AndreCalvinho/ for giving hints about the issue.
The text was updated successfully, but these errors were encountered: