Reflected XSS on the home page

[MatanSandori]

Describe your issue

Hi, I’m a security researcher building my CVE portfolio. I found a reflected XSS on the WikiDocs home page.

Proof of concept

http://127.0.0.1/"><script>alert(42)</script>
http://127.0.0.1/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Path input should be HTML-escaped (e.g., htmlspecialchars($path, ENT_QUOTES, 'UTF-8')) so injected markup cannot run.

Can I report future issues privately via email or a contact form?

Best,
Matan Sandori

Device and settings

Setup: docker run -d -p 80:80 zavy86/wikidocs

Steps to reproduce

http://YOUR-HOST/"><script>alert(42)</script>
http://YOUR-HOST/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Screenshots (optional)

Extra fields

• I'd like to work on this issue

[Zavy86]

Hi, thanks! If you could open a pull request with the fix, it would be greatly appreciated!

[MatanSandori]

Hi there,

Thanks for getting back to me!

I'm afraid I don't yet know the codebase well enough to open a clean pull request, but I'm happy to share the exact mitigation. If you visit a URL like

https://demo.wikidocs.app/Find_Me
view-source:https://demo.wikidocs.app/Find_Me

you'll see the path value reflected in several places. Escaping that value before rendering prevents the reflected-XSS issue:

htmlspecialchars($path, ENT_QUOTES, 'UTF-8');

Applying the same pattern to every place the path (or any other user-supplied input) is echoed should resolve it.

Best,
Matan Sandori.