603450 - Output Encode Searches to Prevent XSS

Status: VERIFIED FIXED

(Websites :: Other, defect)

Description

[Michael Coates [:mcoates] (acct no longer active)]

Issue

The search values are returned to the page without proper output encoding. As a result it is possible for an attacker to insert html or JavaScript that could result in modification to the page or redirecting the user to a third party site.

Steps to reproduce
1. Browse to the following url:
http://firefoxtweetmachine.com/#%3Chr%3Efirefox
2. Wait for the tan search bubble to appear that will say "Showing results for "
3. Observe that the <hr> tag has been rendered
4. Stop the bubble movement by clicking the right lever.
5. Inspect the search element with firebug and observe that the search query was not properly output encoded:
<h1>Showing results for</h1>  	<p>"</p><hr>firefox"

Recommended Remediation
Perform html entity output encoding on the search value when it is returned to the page.

Comment 1

[Luis Abreu]

Search queries are now escaped.

Comment 2

[Michael Coates [:mcoates] (acct no longer active)]

Has this fix been pushed live? I just tested it and the issue is still present.

When I enter the search of:
<hr>firefox

the response listed within the twitter bubble message should literally say:
<hr>firefox

Currently the entered html is being evaluated and I see a line and then the word firefox.

The solution is to output encode the value entered by the user. So the actual html would be this:
&lt;hr&gt;firefox

and the user would see 
<hr>firefox

on the webpage.

Comment 3

[Luis Abreu]

Hello, we've deployed the latest version, everything should be fixed now.

Comment 4

[Michael Coates [:mcoates] (acct no longer active)]

Verified.

Comment 5

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.