Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
We have had a testing done on some of our sites and have had highlighted a potential issue for cross site scripting with the XSLT search.
If you enter <script> into the search box you get a message:
Now this could be nothing but it has been suggested that it is escaped properly to deal this type of attack how can I do this with XSLTsearch?
I don't think it is a problem in practice but obviously people don't like seeing the ysod (though then again, that's why it's there... to stop people putting in potentially dangerous stuff).
For what it's worth, XSLTsearch encodes and sanitizes input terms. You will find 'cleaner' function in the app_code/xsltsearch.cs file you could add to if you wanted.
But I'm not really sure how you'd trap the incoming form submission to avoid the problem in the first place. A simple <form> tag with an input field that has <script> typed into it will give the same error, even without XSLTsearch being involved. If someone knows a way to handle this I'd love to know it.
is working on a reply...
Write your reply to:
Image will be uploaded when post is submitted