Detect XSS in Ticket Search Form

[hypnguyen1209]

otobo/Kernel/Output/HTML/Templates/Standard/CustomerDashboard.tt

Line 30 in 59dda3b

<input type="text" name="Fulltext" id="oooSearch" title="[% Translate('Ticket Search') | html %]"/>

I have discovered an XSS vulnerability in your source code, I hope you will fix it as soon as possible.
Thank you!
POC: https://drive.google.com/file/d/1hBRq_H6h55TLen0ULDRKEDnwBfpRK-fr/view?usp=sharing

[svenoe]

Hi Nguyen,
thank you very much for letting us know! (The preferred way would be to send us a mail to security@otobo.org, but better here than not at all. :) )

Your video doesn't load for me, but from the preview I guess it is clear, and I added a fix to it. I will close the issue for now and try loading the video at another time again. If you are up for it, you could also just replace the changed file, run
bin/otobo.Console.pl Maint::Cache::Delete
from /opt/otobo and see if everything is fixed.

Thanks again, Sven