One of our IT department’s student workers noticed that there’s a potential XSS vulnerability in our search page. I replicated the issue on our development server, but I’m running into some difficulty. It seems to be running extremely slowly and aggressively caching page templates.
I believe that I narrowed down the template to /public_html/_ingredients/themes/global/components/calendar/default-components/lw_cal_showing.html.
My initial idea was just to remove the quotes from around the anchor tag on line 39 as a temporary fix. But, if there’s a possible XSS vulnerability in one area, it may be in others. I couldn’t quite figure out from the documentation or class.events_calendar.php what kind of sanitization might be done or if there are additional templating filters we can use.
Can you offer some guidance on how to proceed? If possible, keep the urls for the site(s) private.
Sure thing, we do a bunch of sanitization but sometimes there are edge cases that get identified and we can issue patches for those in the LiveWhale core code.
Could you just copy/paste into a reply the example URL you shared (minus the hostname)? I can see /all/search/ in your screenshot, but having the exact syntax of the onmouseover code you used would be great for us to reproduce this. Thanks,
and I wonder if the quotes on the outside of the anchor tag are causing a problem. But, I’m having a hard time testing different ideas because the dev site is quite slow and seems to be caching the page at the search route.
Thanks for bringing this to our attention – we’ve found that this XSS vulnerability was introduced in our last release LiveWhale 2.21.1 with the change
Fixed an issue that prevented quoted / exact searches from being permitted on the frontend calendar.
We needed to adjust our search string sanitization code now that quotes are allowed, in order to avoid the “now showing” component getting tweaked in the way you found. (Almost all inputs pass through LiveWhale’s PHP security and sanitization suite, but that calendar now-showing component is one of the few exceptions, it turns out!)
We’ve made that patch and it’ll be released in our next minor version release, which I believe is going to dev servers this weekend.
