I can't help with XSS on the search page (we don't use it), but you may be interested in https://issues.apache.org/roller/browse/ROL-1727, which fixes some other XSS problems.
Nick -----Original Message----- From: richiebaby [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 July 2008 8:27 PM To: [email protected] Subject: Please tell me how to validate the search string that appears in the URL Hi, I have been asked to add some validation to our Roller installation because it is vulnerable to XSS (Cross Site Scripting) attacks. The first place that I am looking is in the search on our home page weblog. When you perform a search you can see that the search string is appended to the URL, like this: http://***/roller/frontpageblog/search?=text+to+search+for Therefore it is also possible to create a search string that contains some script like this: http://***/roller/frontpageblog/search?q=<script>alert("XSS")<%2Fscript> The above URL causes a pop up to be displayed. On the search results page, I have seen that I can validate the search text by capturing the variable '$model.term' within weblog.vm on the server (roller\WEB-INF\velocity\weblog.vm). For example, within the macro: showWeblogSearchAgainForm, I can take $model.term and use $utils.replace to strip out any possible script. However, this has no effect on the search string appended to the URL and so the pop up is still being displayed. Question: Could somebody please point me towards how I can monitor the search URL's within Roller so that I can strip out any script? Thank you -- View this message in context: http://www.nabble.com/Please-tell-me-how-to-validate-the-search-string-that-appears-in-the-URL-tp18709716s12275p18709716.html Sent from the Roller - Dev mailing list archive at Nabble.com. Mind Over Matter - How Technology Matters Find out how modern lifestyles and technologies are influencing the human mind at education.au's seminar on Tuesday 26 August, Sydney. Find out more: www.educationau.edu.au IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
