Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Fuji Kusaka 2203 posts 4220 karma points
    Mar 05, 2013 @ 05:47
    Fuji Kusaka
    0

    Stripping Html tags from search

    Hi Guys,

    This might be something very stupid but am having some issues where some people are using Html tags in my search field and creating error handlers to trigger.

    Is there a way of removing html tags over than StripHtml ?

    <!-- form field value, if present -->
          <xsl:when test="umbraco.library:StripHtml((umbraco.library:RequestForm('search'))) != ''">
                   <xsl:value-of select="PS.XSLTsearch:cleanSearchTerm(PS.XSLTsearch:escapeString(umbraco.library:StripHtml(umbraco.library:RequestForm('search'))))" />
          </xsl:when>
          <!-- querystring value, if present -->
          <xsl:when test="umbraco.library:StripHtml(umbraco.library:RequestQueryString('search')) != ''">
            <xsl:value-of select="PS.XSLTsearch:cleanSearchTerm(PS.XSLTsearch:escapeString(umbraco.library:StripHtml(umbraco.library:RequestQueryString('search'))))" />
          </xsl:when>
          <!-- no value -->

    This didnt work at all. Any idea how i could achive this ?

    Copy Link
  • Fuji Kusaka 2203 posts 4220 karma points
    Mar 05, 2013 @ 09:07
    Fuji Kusaka
    0

    I tried to encode the data as well in the cs file itself or may be add a regex in there but without success

    data = HttpUtility.HtmlEncode(data);
    Copy Link
  • Fuji Kusaka 2203 posts 4220 karma points
    Mar 05, 2013 @ 09:14
    Fuji Kusaka
    0 
    data = System.Text.RegularExpressions.Regex.Replace(data, @"<(.|\n)*?>", " ");

    Didnt get this to work either

    Copy Link
  • Douglas Robar 3570 posts 4711 karma points MVP ∞ admin c-trib
    Mar 05, 2013 @ 09:39
    Douglas Robar
    0

    The problem is that .NET is getting in the way long before XSLTsearch is involved. That's why you're getting a YSOD, because passing html in via form fields is considered an attack vector and is blocked.

    Google is loaded with info about this message, that isn't unique to Umbraco at all. For instance: http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client

    You will find a similar discussion and solution options (and a bug report for some recent versions of Umbraco) at:

    http://our.umbraco.org/forum/developers/xslt/38786-Xpath-Injection-Vulnerability

    http://issues.umbraco.org/issue/U4-1795

    cheers,
    doug. 

     

    Copy Link
  • Douglas Robar 3570 posts 4711 karma points MVP ∞ admin c-trib
    Mar 05, 2013 @ 09:42
    Douglas Robar
    0

    And this umbraco-specific tag may also be helpful. http://our.umbraco.org/forum/using/ui-questions/27701-New-Custom-Section-and-A-potentially-dangerous-RequestForm-value-was-detected-error

    But do be VEEERY careful if you disable the checking because then, rather than getting an error you open yourself and your site up to real attack vectors. 

    cheers,
    doug. 

    Copy Link
  • Fuji Kusaka 2203 posts 4220 karma points
    Mar 05, 2013 @ 11:56
    Fuji Kusaka
    0

    Thanks for the response Doug, this is quite a pain to be honest i dont see many people looking for html tags.

    However instead of this i will try to make it trigger a error 500 instead. At the moment its giving me an ugly error msg.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft