Possible XSS vulnerability?

[davidhund]

I implemented Search Index in a site recently and already notice XSS attacks ("tries", I guess) popping up in the logs.

While I don't think there are serious issues one keyword does result in a XSLT error:

loadXML(): attributes construct error in Entity, line: 275
loadXML(): Couldn't find end of Start Tag keyword line 275 in Entity, line: 275

I am hesitant to post the triggering keyword but could mail you more details personally?

[nickdunn]

Hi David.

nick [at] nick-dunn [dot] co.uk will reach me.

Thanks :-)

[animaux]

@davidhund has this been resolved back then?

[davidhund]

Hi @animaux — that's a long time ago and I have not worked with Symphony much since then so I do not know. I believe @nickdunn was thinking about abandoning SI and moving to an ElasticSearch plugin. But I honestly would not know where things stand a.t.m.

[animaux]

Thanks David. Nick is long gone from the Symphony CMS community. ElasticSearch is no option for my projects, so I’m trying to keep this one alive :) Just wanted to see if there was anything done about this back then.

[nitriques]

@animaux Try to wrap the values in cdata section. The xml failing to load is kind of normal when you input thing into it that is not valid.