FIX: XSS #63
Open
FIX: XSS #63
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* release: CHG: Update changelog FIX: undefined indexes use followSearch from simiFirstRecord only if search was not sorted use enum for different values of articlenumberstatus fixed documentation of Search::setIdsOnly() added missing parameter of Data/Item::setUrl() added functions to manipulate url of Data/Item to allow for URL customization Added resetLoaded() function to request to force loaded state to false to force check if url changed. TriggerImport functions always resets loaded state of request as they set multiple parameters which means url changes. Added idsOnly possibility to multiple adapters. If records are no longer up to date reset loaded state of request before getting response to ensure reload from server. fixed typo/missing character in Util/CurlStub causing unit tests to fail added option to get whole array of feedbacktexts of Campaign-Object added function getAdvisorStatus to Data SearchParameters added function to setSid for personalisation module, added function getFollowSearchValue to retrieve followSearch from simiFirstRecord or request parameters and added function isArticleNumberSearch to Adapter "Search" prevent unnecessary encoding provided by Keywan Ghadami <[email protected]> Update documentation for release 1.1.0
* release: CHG: updated change log Fixed uncatched json_decode exception Added possibilty to disable the custom classes CHG: optimization
* release: updated version and php doc introduced abstract configuration class, removed legacy code Update Search.php RMV: old tracking adapter Get followSearch from result and use 0 instead of 10000 as fallback. fallback to followSearch = 10000 instead of 0 if no followSearch value could be acquired as FF6.10 requires it added missing whitelist param "mainId" to test config.xml fixed some wrong documentation and assoc array key added missing parameters for whitelist to test config and changed parameter "userid" in ScicTracking to correct "userId" Added functionality for parameter whitelist to configuration for both server and client. Added values for whitelist to test configuration log error and stacktrace if response from FF contains error/stacktrace
* release: RMV: modified files CHG: updated php doc/change log for release 1.2.1 New ArrayConfiguration with test data and tests FIX: single-word-search + too long test file names CHG: Optimization
* development: CHG: updated changelog FIX: undefined indexes issue
* release: CHG: updated changelog FIX: undefined indexes issue
* release: Update documentation release 1.2.4 CHG: updated changelog CHG: removed legacy tracking code CHG: added userId parameter to methods Update XmlConfiguration.php
* development: CHG: license has been changed from GPL to MIT
* release: CHG: license has been changed from GPL to MIT
* release: CHG: Updated documentation for 1.2.5 CHG: updated changelog CHG: SEO-Enhancer integration FACT-Finder#55 CHG: method to set session id for recommendations special SortingItems to use full information about sortings as returned in FACT-Finder response changed hasSelectedItems() to work on a copy of the filter
* development: Update documentation for release 1.3.0 CHG: updated changelog CHG: Update for FF7.2
* release: Update documentation for release 1.3.0 CHG: updated changelog CHG: Update for FF7.2
* development: FIX: default parameter whitelist
* release: FIX: default parameter whitelist
* development: CHG: Updated changelog CHG:: Completed SEO Enhancer integration
* release: CHG: Updated changelog CHG:: Completed SEO Enhancer integration
* development: 1.3.2
* release: 1.3.2
…xss attacks are possible. If you, for example, have a query like this
query=">trolo<i>pwnd<img+src%3Dy+onerror%3Dprompt('openbugbounty')>
a foreign js script will be executed when the search is finished.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
query=">trolopwnd<img+src%3Dy+onerror%3Dprompt('openbugbounty')>
a foreign js script will be executed when the search is finished.
Please note that the source and target branch must be "development" (details: https://github.com/FACT-Finder/FACT-Finder-PHP-Library/wiki/Guide-for-contributors).