seancoyne
commented
6 years ago the data from the search query is not always simply output to the screen, so to escape it there would not be wise. escaping should be done when the data is output. we'd consider pull requests if you want to add escaping to the output.
On Mon, Mar 12, 2018 at 1:44 PM, Williada-lbcc notifications@github.com wrote:
Hello,
I've hit a couple of XSS issues with search result pages using the Solr Pro Farcry plugin. Escaping the 'q' variable with "encodeForHTML()" does a great job, but I was notified this morning that I hadn't found the bottom of the turtle stack and was escaping an href as well.
I don't mind digging through code, but perhaps it would expedite to ask if there is a single place we could escape the search query before it's branched off to all the code it is passed to?
Thanks for any assistance.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jeffcoughlin/farcrysolrpro/issues/78, or mute the thread https://github.com/notifications/unsubscribe-auth/AAfJ5RQSRNVszwyQ5TVertOBcZRMb78Lks5tdrQUgaJpZM4SnFsd .
-- Sean Coyne n42 Designs sean@n42designs.com http://www.n42designs.com/ http://about.me/seancoyne
webonix
Hello,
I've hit a couple of XSS issues with search result pages using the Solr Pro Farcry plugin. Escaping the 'q' variable with "encodeForHTML()" does a great job, but I was notified this morning that I hadn't found the bottom of the turtle stack and was escaping an href as well.
I don't mind digging through code, but perhaps it would expedite to ask if there is a single place we could escape the search query before it's branched off to all the code it is passed to?
Thanks for any assistance.