You are here: Foswiki>Tasks Web>Item13741 (10 Oct 2015, GeorgeClark)Edit Attach

Item13741: URLPARAM macro needs safe+quote encoding option.

pencil
Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
Applies To: Engine
Component: SEARCH, UrlHandling
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
This task addresses an XSS path through the WebSearch page, and also improves the ability to search on strings that would previously have been expanded as macros prior to the search. All user input to the search page must be entity encoded, otherwise it's possible to inject macros and javascript into the displayed results. If not encoded, this results in a possible XSS path. The current WebSearch parameters are "quote" encoded, however this is insufficient.

The %URLPARAM% macro encode= parameter has been changed to a comma separated list, so that quote and entity encoding can be used in combination.
   %URLPARAM{"searchterm" encode="quote, entity"}%

This is combined with a new %SEARCH% argument, decode, which is used to reverse the effect of any encoding. The safe way to include any URL parameters into a search is to code it as follows:

   %SEARCH{"%URLPARAM{"searchterm" encode="quote, entity"}%" decode="entity"}%

Action needed: We recommend that administrators search for any locally created or modified topics using the URLPARAM macro and ensure that entity encoding is used where possible to prevent injection of macros or javascript.
Topic revision: r10 - 10 Oct 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy