Datafeedr Support Forums  

Go Back   Datafeedr Support Forums > Current Version (V3) Forum > Questions
Home Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Important - The support forums are now in "read-only" mode as we transition to an alternative help desk solution. Feel free to contact us here with any of your questions or search the forums for an existing solution.
 
 
Thread Tools Search this Thread Display Modes
  #1  
Old April 8th, 2012, 06:42 AM
rossboardman rossboardman is offline
 
Join Date: May 2010
Posts: 21
Exclamation Possible XSS flaw in simple search widget/results

Hi

I'm using the simple search widget for my store, but I noticed it's not stripping html when outputting the search term and I'm worried about possible cross site scripting issues.

The search page view has these lines in it:

Code:
<?php if (@$_GET['word']){ ?><li><b>Word: </b>[store.get param="word"]</li><?php } ?>
  <?php if (@$_GET['merchant']){ ?><li><b>Merchant: </b>[store.get param="merchant"]</li><?php } ?>
  <?php if (@$_GET['tags']){ ?><li><b>Tags: </b>[store.get param="tags"]</li><?php } ?>
  <?php if (@$_GET['price']){ ?><li><b>Price: </b>[store.get param="price"]</li><?php } ?>
which looks like it's not doing much clean up of the strings so I'd like some help cleaning up the string and also making sure nothing is actually getting executed on the database that could be potentially harmful.

Is there an existing wordpress function I could use to clean things up for the front end?

Cheers.
  #2  
Old April 8th, 2012, 08:11 AM
Eric's Avatar
Eric Eric is offline
Datafeedr Team
 
Join Date: Feb 2008
Posts: 16,902
Default

Hi

Use the strip_tags function.

Eric
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Search returning no results digitalcow Problems 2 November 13th, 2011 09:14 AM
Simple Search all stock? youngy Questions 1 September 22nd, 2011 01:45 PM


All times are GMT -5. The time now is 04:02 PM.


Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.