[GH-ISSUE #1076] Whoogle XSS #654

Closed
opened 2026-02-25 20:36:14 +03:00 by kerem · 0 comments
Owner

Originally created by @0xspade on GitHub (Oct 6, 2023).
Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/1076

Describe the bug
Whoogle current version is vulnerable to XSS, if the result has an xss payload <iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 13')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;"></iframe >, it will trigger the xss.

To Reproduce
Steps to reproduce the behavior:

  1. Search the keyword iframe srcdoc xss
  2. Wait for the prompt

whoogle xss

Deployment Method

  • Heroku (one-click deploy)
  • Docker
  • run executable
  • pip/pipx
  • Other: [describe setup]

Version of Whoogle Search

  • Latest build from [Docker]
  • Version [version number]
  • Not sure
Originally created by @0xspade on GitHub (Oct 6, 2023). Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/1076 **Describe the bug** Whoogle current version is vulnerable to XSS, if the result has an xss payload `<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 13')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;"></iframe >`, it will trigger the xss. **To Reproduce** Steps to reproduce the behavior: 1. Search the keyword `iframe srcdoc xss` 2. Wait for the prompt ![whoogle xss](https://github.com/benbusby/whoogle-search/assets/18681023/7d885ae3-9ea9-4728-9b48-4f5c0374e611) **Deployment Method** - [ ] Heroku (one-click deploy) - [X] Docker - [ ] `run` executable - [ ] pip/pipx - [ ] Other: [describe setup] **Version of Whoogle Search** - [X] Latest build from [Docker] - [ ] Version [version number] - [ ] Not sure
kerem 2026-02-25 20:36:14 +03:00
  • closed this issue
  • added the
    bug
    label
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/whoogle-search#654
No description provided.