Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in govuk_tech_docs.
Advisories for Gem/Govuk_tech_docs package
2023
govuk_tech_docs vulnerable to unescaped HTML on search results page
Pages that are indexed in search results have their entire contents indexed, including any HTML code snippets. These HTML snippets would appear in the search results unsanitised, so it was possible to render arbitrary HTML or run arbitrary scripts. This is a low risk security issue; to exploit it, an attacker would need to find a way of committing malicious code to a page indexed by a site that uses …