[Plugin: PiwikSearchEngineKeywords] XSS Security issue in Plugin
-
Hi
If I search for <script>alert(‘test’);</script> and piwik register it, the JS code is completly betted in to the webpage and this is a XSS security risk on very high level!
Please add htmlentities() to the publish of the keywords on line 222 in the plugin like:
if ($i != $qresult->rowCount() - 1) $keywords = $keywords . '<li>' . htmlentities($keyword) . '</li>' . (($separator_on == true && $this->separator != "") ? '<li class="psek_separator">' . $this->separator . '</li>' : ''); else $keywords = $keywords . '<li>' . htmlentities($keyword) . '</li>';This is strongly recommended!!
Regards
https://www.ads-software.com/extend/plugins/piwik-search-engine-keywords/
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘[Plugin: PiwikSearchEngineKeywords] XSS Security issue in Plugin’ is closed to new replies.
