Wordpress-使用Ajaxy Live Search插件的XSS

Question

I've installed Ajaxy Live Search Plugin v3.0.7 in my wordpress, but when searching something like:

<script>alert('123');</script>

I can see the alert on my browser.

Using firebug I can see that when typing on the search box I'm calling

/wp-admin/admin-ajax.php

sending these parameters:

action = ajaxy_sf
search = false
sf_value = <script>alert('123');</script>

How can I avoid this problem on my search box? Thanks in advance!

Answer 1

XSS is an output encoding problem. It's not about what parameters are sent in the request, the vulnerability manifests itself when a response is made (either to the same request or a different one).

In any response, output should be encoded according to the context. Depending on how your plugin works, it may either create partial html on the server or use DOM mainpulation in the browser while sending AJAX requests.

If it's creating partial html and inserting that into the page as the search results, the view that generates the partial html should be fixed by adding output encoding (ie. htmlspecialchars() in php, but there are other options too).

If it's just an ajax request and the page dom is manipulated in javascript, the application should make sure to only insert variables as text nodes and not whole dom subtrees with potential script nodes.

Either way, I think it should be done by the plugin. If it's not written correctly and vulnerable to XSS, pretty much the only way to fix it is to fix the plugin itself.