Minor XSS issue in Twenty Ten theme
|Reported by:||Viper007Bond||Owned by:||ryan|
This is in Twenty Ten's search.php:
<h1 class="page-title"><?php printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . get_search_query() . '</span>' ); ?></h1>
get_search_query() does not feature any sanitization, so the search string is displayed raw.
To show the vulnerability, write a post with the following content and publish it:
<a href="http://wordpress.org/">This is a link</a>
Now enter that same string into the search box. The post will show up in the results as expected, but you'll get Search Results for: This is a link (which is clickable) instead of the actual search string.
Luckily Twenty Ten shows "Nothing Found" if there's no results, so this requires the string to be located in a post.
Still needs to be fixed though. See attached patch.