Sharing is helping.

We offer you this space to share your knowledge about Magento and learn from our experienced customers.

    Home Forums "How do I" questions catalog search xss vulnerability Reply To: catalog search xss vulnerability



    The problem lies in: /app/code/core/Mage/CatalogSearch/Helper/Data.php

    Line 143,

    * Retrieve HTML escaped search query
    * @return string
    public function getEscapedQueryText()
    return $this->htmlEscape($this->getQueryText());

    This will only escape < > and “.

    It would be nice to allow only a-z, A-Z and numbers.