We have had a testing done on some of our sites and have had highlighted a potential issue for cross site scripting with the XSLT search.
If you enter <script> into the search box you get a message:
A potentially dangerous Request.Form value was detected
from the client
(ctl00$ctl00$ctl00$ContentPlaceHolderDefault$SearchBox_3$searchText="<script>").
Now this could be nothing but it has been suggested that it is escaped properly to deal this type of attack how can I do this with XSLTsearch?
I don't think it is a problem in practice but obviously people don't like seeing the ysod (though then again, that's why it's there... to stop people putting in potentially dangerous stuff).
For what it's worth, XSLTsearch encodes and sanitizes input terms. You will find 'cleaner' function in the app_code/xsltsearch.cs file you could add to if you wanted.
But I'm not really sure how you'd trap the incoming form submission to avoid the problem in the first place. A simple <form> tag with an input field that has <script> typed into it will give the same error, even without XSLTsearch being involved. If someone knows a way to handle this I'd love to know it.
Penetration Testing
Hello All
We have had a testing done on some of our sites and have had highlighted a potential issue for cross site scripting with the XSLT search.
If you enter <script> into the search box you get a message:
A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$ctl00$ContentPlaceHolderDefault$SearchBox_3$searchText="<script>").
Now this could be nothing but it has been suggested that it is escaped properly to deal this type of attack how can I do this with XSLTsearch?
Thanks
I don't think it is a problem in practice but obviously people don't like seeing the ysod (though then again, that's why it's there... to stop people putting in potentially dangerous stuff).
For what it's worth, XSLTsearch encodes and sanitizes input terms. You will find 'cleaner' function in the app_code/xsltsearch.cs file you could add to if you wanted.
But I'm not really sure how you'd trap the incoming form submission to avoid the problem in the first place. A simple <form> tag with an input field that has <script> typed into it will give the same error, even without XSLTsearch being involved. If someone knows a way to handle this I'd love to know it.
cheers,
doug.
is working on a reply...