This topic contains 1 reply, has 2 voices, and was last updated by  Theme Author 2 years, 2 months ago.

Cross site scripting vulnerability

  • Hi, my website security service is telling me there’s a cross site scripting vulnerability in Search:


    URL:http://www.mysite.com/?s=Search
    Cross site scripting vulnerability found in args:s

    URL:http://www.mysite.com?=1&s=Search
    Cross site scripting vulnerability found in args:,s

    URL:http://www.mysite.com?=Search&s=Search
    Cross site scripting vulnerability found in args:,s

    Is that an issue with Energy’s search.php or searchform.php?

    Thank you.

    Hello,
    please try to replace the code in searchform.php with the one below:

    <form action="<?php echo home_url(); ?>/" id="searchform" method="get">
            <input type="text" id="s" name="s" value="<?php esc_attr_e('Search', 'energy') ?>" onfocus="if(this.value=='<?php esc_attr_e('Search', 'energy') ?>')this.value='';" onblur="if(this.value=='')this.value='<?php esc_attr_e('Search', 'energy') ?>';" autocomplete="off" />
            <input type="submit" value="<?php esc_attr_e('Search', 'energy') ?>" id="searchsubmit" class="hidden" />
    </form>

You must be logged in to reply to this topic.