Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Correct missing escaping in searchResults.tpl #3805
The searchQuery template variable presents user-supplied information without proper escaping. This permits a reflected (non-persistent) XSS attack.
Instructions to patch are here: #3805 (comment)
Affects OMP between 1.2.0 and 3.1.1-2 (inclusive).
This can be corrected for OMP between 1.2.0 and 3.1.1-1 (inclusive) by applying this patch: https://github.com/pkp/omp/commit/ebf3a701708112f4973d02f26a0b1d746dcd4970.diff
OMP 1.2.0 to 3.1.1-2 additionally need the following patch:
For example, on most Linux systems this should work. Run it inside the OJS installation directory.
You should see the following output for each of the two commands:
The issue is corrected in OMP 3.1.1-3 and newer.
If you're using checkouts from git, all stable branches (e.g.