WordPress.org

Ready to get started?Download WordPress

Forums

Ajaxy Live Search
[resolved] Security XSS issue (6 posts)

  1. Emon Vida
    Member
    Posted 3 months ago #

    Hello,

    The user can inject HTML and Java in search input!, I think it's a XSS bug?

    Thanks for your great work.

    https://wordpress.org/plugins/ajaxy-search-form/

  2. n-for-all
    Member
    Plugin Author

    Posted 3 months ago #

    the user cannot inject html nor java into the input, infact i am aware of the security measure in creating an ajax app and cross site scripting, thats why, i interact with only the tables i need and using prepare function for wordpress to prevent such attacks on the database, if you were able to inject it, that means you are able to inject any plugin that uses wordpress ajax functionality

    i would love to know how you did it, if you really did that

    cheers

  3. Emon Vida
    Member
    Posted 3 months ago #

    Hi n-for-all,

    Thank you for your response, I dont have the background for it, but someone sent me a message stating that there is an issue and wrote me some code to tested such <script> alert (document.cookie); </ script> ??

    I dont know what he mean, but if there is no issue, can you disable this feature? like using htmlspecialchars OR something ?

    Regards

  4. Emon Vida
    Member
    Posted 3 months ago #

    Hi,

    A friend told me that there is no problem as you mentioned it to me and only its just print the code with no inject or any security issue.

    Thank you and I apologize for any misunderstanding.

  5. n-for-all
    Member
    Plugin Author

    Posted 3 months ago #

    Ok great, thank you for clarifying that

  6. Emon Vida
    Member
    Posted 3 months ago #

    You are welcome (:

Reply

You must log in to post.

About this Plugin

About this Topic