Support » Plugin: PiwikSearchEngineKeywords » [Plugin: PiwikSearchEngineKeywords] XSS Security issue in Plugin

  • Hi

    If I search for <script>alert(‘test’);</script> and piwik register it, the JS code is completly betted in to the webpage and this is a XSS security risk on very high level!

    Please add htmlentities() to the publish of the keywords on line 222 in the plugin like:

    if ($i != $qresult->rowCount() - 1)
                        $keywords = $keywords . '<li>' . htmlentities($keyword) . '</li>' . (($separator_on == true && $this->separator != "") ? '<li class="psek_separator">' . $this->separator . '</li>' : '');
                    else
                        $keywords = $keywords . '<li>' . htmlentities($keyword) . '</li>';

    This is strongly recommended!!

    Regards

    http://wordpress.org/extend/plugins/piwik-search-engine-keywords/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: PiwikSearchEngineKeywords] XSS Security issue in Plugin’ is closed to new replies.