Doodi101

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.2 **Description** A stored cross-site scripting issue exists in the `search.twig` template where the variables `result.question` and `result.answerPreview` are rendered using the `raw` filter, which disables the template engine's automatic escaping protection. Users with FAQ editor or contributor privileges can exploit this by injecting HTML-entity-encoded payloads. In `SearchController.php`, the application uses a combination of `html entity decode(strip tags())` to process search results; this sequence allows encoded payloads to bypass `strip tags()` and be restored into executable HTML tags. Consequently, arbitrary JavaScript can be executed in the browser context of any visitor, including administrators, potentially leading to session cookie exfiltration and full account takeover. **Recommendations** Update to version 4.1.2 or later. Remove the `raw` filter from user-controlled fields in `search.twig`, specifically for `result.question` and `result.answerPreview`. Remove the `html entity decode()` function from the search result processing pipeline in `SearchController.php`. Review and sanitize other instances of the `raw` filter in `search.twig`, such as `searchTags` and `relatedTags`. Apply `htmlspecialchars()` within the `logSearchTerm()` function to prevent secondary injection.