All Low add-ons are now owned by EEHarbor. Read the blog post.

Support archive

Sanitise low search keywords

Samuel Coles 11 Dec 2018 14:11 question, complete

What's a good method for stripping HTML from our site search? I've found that it's possible to inject HTML directly into our page like this:

https://website.co.uk?keywords=" < svg / onload%3Dconfirm(//)>

The page source then looks like this:

Replies

  1. Low 11 Dec 2018 14:14

    What variable are you using there? The standard {low_search_keywords} does escape any html in it.

    Samuel Coles 11 Dec 2018 14:17

    Ahhh that could be it!!! We're using {get:keywords} instead of {low_search_keywords}. I expect that will fix it but will let you know... Thanks!

    Low 11 Dec 2018 14:19

    Yeah, never use that! All LS parameter-variables are escaped when put into a template. Would be quite dangerous if they weren't!

    Samuel Coles 11 Dec 2018 14:26

    It worked!! Feel really stupid but at least it's fixed. Thank you for your quick response :)