We are using v220.127.116.11 and our PCI scan revealed a level 10.0 (highest) vulnerability regarding the catalogsearch/result:
Cross-Site Scripting in HTML \'script\' tag
Apart from upgrading, how can we prevent this? Would upgrading likely fix this?
I am also getting report from my site PCI as following
Injected into the "q" form parameter (Using method POST) on http://www.example.com/catalogsearch/result/: 1041: _gaq.push([ 1042: '_trackEvent', 1043: 'Search', 1044: 'Search with no Results', 1045: "\\\"><script>992170282",
I am using Magento 18.104.22.168 version. Did you find a solution for this?
I was having the following code in my custom phtml file
_gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);
I replaced it with following
gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getEscapedQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);
Notice in second code line getEscapedQueryText()) and it fixed the issue.
Your custom template probably fails to properly sanitize the output. It needs to return the query string with something like this:
$this->__("Search results for: '%s'", $this->helper('catalogsearch')->getEscapedQueryText())
As to this one, somebody customized the template to push search queries to Google Analytics and doesn't understand properly escaping user provided content which needs to have
applied to it.