Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Masthead Search] XSS scripting vulnerability in search

See original GitHub issue


attacker can run js through the search component in masthead

Component(s) impacted



No response

Carbon for version



Severity 1 = The design is broken in a critical way that blocks users from completing tasks or damages the brand. Affects major functionality, no workaround.





CodeSandbox example


Steps to reproduce the issue (if applicable)

Steps To Reproduce: 1.Go to 2. Now put this payload on the search icon "><img src=x onerror=alert(document.cookie)> and hit enter. 3. It will execute the XSS payload in the URL.

Release date (if applicable)

No response

Code of Conduct

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

jeffchewcommented, Oct 29, 2021

@kyjak IBM Search team handles it the same way as Google Search:"><img src%3Dx onerror%3Dalert(document.cookie)>

The input isn’t sanitized in the client side, but on the application side with the search results. The url can be constructed by any user, whether if malicious or not. The client side still does a encodeURIComponent to the string before redirecting, but we expect the application to do what it needs with the data being passed and not stripped beforehand.

jeffchewcommented, Oct 28, 2021

Hi @kyjak ,

This issue will remain closed, we still believe that the inputs need to be sanitized on the application side, as the search field in the Carbon for components are nothing more than constructing a redirect url and sending the user there. The redirect url itself can still be constructed and executed without the Masthead, which is still a security risk from the application perspective. Sanitizing on the client-side cannot prevent this, and might introduce other bugs or unknown side effects.

cc: @RobertaJHahn @emyarod @ljcarot

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Find XSS Vulnerability
In this guide, we explain how to find Cross-site scripting (XSS) vulnerability in web applications, including what you can do to prevent it....
Read more >
Mutation XSS in Google Search
The vulnerability in the Closure library was very difficult to detect. It relied on a rarely used technique called mutation XSS. Mutation XSS...
Read more >
Cross Site Scripting (XSS) - OWASP Foundation
How to Determine If You Are Vulnerable. XSS flaws can be difficult to identify and remove from a web application. The best way...
Read more >
XSS on Google Search - Sanitizing HTML in The Client?
An actual XSS on by Masato Kinugawa. It abuses a parsing differential between a JavaScript enabled and disabled context.
Read more >
What is cross-site scripting | How to prevent an XSS attack
Cross-site scripting —referred to as XSS—is an application vulnerability that ... Automatically find, prioritize and fix vulnerabilities in the open source ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found