Script Injection #52
Description
I ran into a weird issue with a client where I implemented Swiftype search. If something like the following query parameters were put in #stq=<script>window.location.replace('https%3A%2F%2Fgoogle.com')<%2Fscript>&stp=1 then the submitSearch function would execute the query parameter javascript. This example is fairly benign but it could be an issue for something more malicious. Adding "query = encodeURI(query); " after line 82 in the file jquery.swiftype.search.js appears to resolve the issue for me but I would not say I am sophisticated enough in Javascript security to know if this still leaves a vulnerability.