Performing a search for something like <script> alert("hi");</script> will cause that JavaScript to be injected into the page.
I saw this happen on the CAB site
It would probably be worth ensuring all user input is sanitised before being added to the page. Perhaps around https://github.com/edds/display-screen/blob/master/public/javascripts/search.js#L100
Performing a search for something like
<script> alert("hi");</script>will cause that JavaScript to be injected into the page.I saw this happen on the CAB site
It would probably be worth ensuring all user input is sanitised before being added to the page. Perhaps around https://github.com/edds/display-screen/blob/master/public/javascripts/search.js#L100