Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Kevin Coster 83 posts 120 karma points
    Mar 19, 2012 @ 16:32
    Kevin Coster

    Penetration Testing

    Hello All

    We have had a testing done on some of our sites and have had highlighted a potential issue for cross site scripting with the XSLT search.

    If you enter <script> into the search box you get a message:


    A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$ctl00$ContentPlaceHolderDefault$SearchBox_3$searchText="<script>").


    Now this could be nothing but it has been suggested that it is escaped properly to deal this type of attack how can I do this with XSLTsearch?



  • Douglas Robar 3570 posts 4711 karma points MVP ∞ admin c-trib
    Mar 19, 2012 @ 18:02
    Douglas Robar

    I don't think it is a problem in practice but obviously people don't like seeing the ysod (though then again, that's why it's there... to stop people putting in potentially dangerous stuff). 

    For what it's worth, XSLTsearch encodes and sanitizes input terms. You will find 'cleaner' function in the app_code/xsltsearch.cs file you could add to if you wanted.

    But I'm not really sure how you'd trap the incoming form submission to avoid the problem in the first place. A simple <form> tag with an input field that has <script> typed into it will give the same error, even without XSLTsearch being involved. If someone knows a way to handle this I'd love to know it.


Please Sign in or register to post replies

Write your reply to: