Vulerability severity so high that in these theme iam facing a problem with Cross site scripting in URLS.

Example : If i give the URL as http://localhost/site/node/1/%22%3e%3cscript%3ealert(45375)%3c/script%3e
it is executing the script and disturbing whole site.
the following screen appears when above url is given.

while giving same url changing zero point theme to default bartik theme it is not allowing scripts.
how disable javascripts in URLS.Please help soon.Please give me reply soon i have to move my site to production.

My Testing report was like this

The following changes were applied to the original request:
• Set path to '/sitename/node/30/%22%3e%3cscript%3ealert(45375)%3c/script%3e'

Validation In Response:
• 5375 page-node-scriptalert45375-script node-type-page not-admin section-node
page-node/30/">

alert(45375) alert(45375) alert(45375)

layout-jello var bicons48 picons
himg lg-en " >

CommentFileSizeAuthor
Screenshot from 2012-11-02 15:44:01.png78.96 KBsahithi

Comments

sahithi’s picture

Cross site scripting in site.
hey i got it

Change line number 36 in template.php
$path = drupal_get_path_alias($_GET['q']); to
$path = drupal_get_path_alias(check_plain($_GET['q']));

florian’s picture

Status: Needs review » Closed (fixed)

Fixed in zeropoint 6.x-1.18

florian’s picture

Issue summary: View changes

My Testing report was like this

The following changes were applied to the original request:
• Set path to '/sitename/node/30/%22%3e%3cscript%3ealert(45375)%3c/script%3e'

Validation In Response:
• 5375 page-node-scriptalert45375-script node-type-page not-admin section-node
page-node/30/">

alert(45375) alert(45375) alert(45375)

layout-jello var bicons48 picons
himg lg-en " >