We offer you this space to share your knowledge about Magento and learn from our experienced customers.
Home › Forums › Reply To: catalog search xss vulnerability › Reply To: catalog search xss vulnerability
The problem lies in: /app/code/core/Mage/CatalogSearch/Helper/Data.php
* Retrieve HTML escaped search query
* @return string
public function getEscapedQueryText()
This will only escape < > and “.
It would be nice to allow only a-z, A-Z and numbers.