Showing results for 
Search instead for 
Did you mean: 

xss in search form with 2.3.5.p1

xss in search form with 2.3.5.p1

Hi there!


I upgrade my Magento CE to 2.3.5.p1 version but I still have xss vulnerabilities.


Vega scan throw me this:

Classification Input Validation Error
Resource /catalogsearch/result/
Parameter q
Method GET
Risk High

Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.

GET /catalogsearch/result/?q=1'%20-->">'>'"

GET /http:/'%20style=-->">'>'"


I override the module to sanitize the input value but still throws the same.


Does this vulnerability own to Magento Core or is there anything else i can do?


Thanks in advance.


Re: xss in search form with 2.3.5.p1



Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.

Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.


Manish Mittal

Re: xss in search form with 2.3.5.p1

Thanks!! I'd already did that.


It was a htaccess misconfiguration.



Re: xss in search form with 2.3.5.p1

Running into something similar, can you share your fix? You said it was a .htaccess misconfiguration?