locked
Web Search Results Contain HTML tags RRS feed

  • Question

  • Not sure if this is a bug in the web results or not but anyways, during some query testing i have noticed that html tags from the Live Results can interfere with the way they are displayed on web pages.   

    ==== INPUT BOX DISPLAYED ===
    http://buildasearch.com/earthoid?e=mysql+delete+records+30+days+or+older&submit=search


    Tuesday, January 6, 2009 11:26 PM

Answers

  • This is actually a security bug in your application.

     

    In this case, the content of the description tag happens to contain an HTML tag, and you are blasting it into the output without escaping the characters. If I managed to get a <script> tag in there, I would deliver an XSS attack through your site.

    If you want a repro, just use "<script>alert(document.domain)</script>" as your query string.

     

    The output from the Search index should not be consider trusted.

     

     

    HTH

     

    --Alessandro

     

     

    Wednesday, January 7, 2009 8:18 PM

All replies

  • This is actually a security bug in your application.

     

    In this case, the content of the description tag happens to contain an HTML tag, and you are blasting it into the output without escaping the characters. If I managed to get a <script> tag in there, I would deliver an XSS attack through your site.

    If you want a repro, just use "<script>alert(document.domain)</script>" as your query string.

     

    The output from the Search index should not be consider trusted.

     

     

    HTH

     

    --Alessandro

     

     

    Wednesday, January 7, 2009 8:18 PM
  • I fixed the problem by using a simple "strip_tags" in php.  Thanks!
    Wednesday, January 7, 2009 9:58 PM
  • The bug wasn't fixed. If you search for "<script>alert(document.domain)</script>" (inlcuding quotation marks) you still get the alert. 10 times!
    Thursday, March 12, 2009 9:38 AM
  • Florinux,

    Thanks for testing out the search. We recently upgraded our codebase to a smaller, faster one and totally overlooked the bug.  We have fixed it once again.

    Cheers!

    Lovely Day for a Lonestar.
    Friday, March 13, 2009 6:47 AM