Datafeedr Support Forums

Datafeedr Support Forums (http://www.datafeedr.com/forums/index.php)
-   Questions (http://www.datafeedr.com/forums/forumdisplay.php?f=67)
-   -   Possible XSS flaw in simple search widget/results (http://www.datafeedr.com/forums/showthread.php?t=6689)

rossboardman April 8th, 2012 06:42 AM

Possible XSS flaw in simple search widget/results
 
Hi

I'm using the simple search widget for my store, but I noticed it's not stripping html when outputting the search term and I'm worried about possible cross site scripting issues.

The search page view has these lines in it:

Code:

<?php if (@$_GET['word']){ ?><li><b>Word: </b>[store.get param="word"]</li><?php } ?>
  <?php if (@$_GET['merchant']){ ?><li><b>Merchant: </b>[store.get param="merchant"]</li><?php } ?>
  <?php if (@$_GET['tags']){ ?><li><b>Tags: </b>[store.get param="tags"]</li><?php } ?>
  <?php if (@$_GET['price']){ ?><li><b>Price: </b>[store.get param="price"]</li><?php } ?>

which looks like it's not doing much clean up of the strings so I'd like some help cleaning up the string and also making sure nothing is actually getting executed on the database that could be potentially harmful.

Is there an existing wordpress function I could use to clean things up for the front end?

Cheers.

Eric April 8th, 2012 08:11 AM

Hi

Use the strip_tags function.

Eric


All times are GMT -5. The time now is 10:47 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.