All Low add-ons are now owned by EEHarbor. Read the blog post.

Support archive

Script injection with low search

johnrhunt 10 Apr 2015 16:14 problem, rejected

4.0.0 -> 4.1.1 upgrade breaks eveything:

I recently upgraded to 4.1.1 from 4.0.0 on my dev environment. After successfully upgrading and re-indexing I was left with no results at all - did I miss something? Downgrading back to 4.0.0 fixed things again but this didn't fill me with confidence.

The reason I tried to upgrade is because we're having PCI compliance issues on the site we're using low search on. This is happening because the low search pagination tag is outputting exactly what's on the address bar:

www.somesite.com/products/P189?orderb...

The links in the pagination contain the same:
href="http://www.somesite.com/products?orde..."

On modern browsers this is absolutely fine, but apparently some older browsers do things incorrectly and render the entities as actual characters and you get an alert box popping up! This script injection is BAD.

We're using this tag for the pagination:
{exp:low_search:results
channel="trees"
status="not closed"
limit="21"
sort="asc"
orderby_sort="{get:orderby_sort}"
paginate="both"
disable="member_data|category_fields"
}

Any thoughts?

Thanks,
John.

Replies

  1. Low 10 Apr 2015 16:23

    Actually, adding a script-tag is harmless. All user input is run through htmlspecialchars in the back-end, so characters like < > and " are encoded to entities, making sure no script-tag can ever be executed.

    Which older browsers are you referring to?

    If you want to avoid the issue, you can also turn on encoded queries.

    As for the search not working after upgrade -- what is the search form and results tags you're using? You can use http://pastie.org/ or http://pastebin.com/ for large chunks of code.

    There aren't any big changes from 4.0.0 to 4.1.1, so it seems odd for me that the search would stop working all of a sudden.

  2. johnrhunt 13 Apr 2015 09:59

    Thanks Low,

    I'm going to try and get some more info from the PCI people as I can't actually re-create the script executing on any browser (even tried IE6..) so I'm not sure if they're just making things up or not..

    I'll get back to you on the upgrade problem.

    Thanks,
    John.