Item13741: URLPARAM macro needs safe+quote encoding option.
Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
This task addresses an XSS path through the
WebSearch page, and also improves the ability to search on strings that would previously have been expanded as macros prior to the search. All user input to the search page must be entity encoded, otherwise it's possible to inject macros and javascript into the displayed results. If not encoded, this results in a possible XSS path. The current
WebSearch parameters are "quote" encoded, however this is insufficient.
The
%URLPARAM%
macro encode= parameter has been changed to a comma separated list, so that quote and entity encoding can be used in combination.
%URLPARAM{"searchterm" encode="quote, entity"}%
This is combined with a new
%SEARCH%
argument,
decode
, which is used to reverse the effect of any encoding. The safe way to include any URL parameters into a search is to code it as follows:
%SEARCH{"%URLPARAM{"searchterm" encode="quote, entity"}%" decode="entity"}%
Action needed: We recommend that administrators search for any locally created or modified topics using the URLPARAM
macro and ensure that entity encoding is used where possible to prevent injection of macros or javascript.