+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / search control - cross site scripting

search control - cross site scripting

4 posts, 0 answered
  1. Biren
    Biren avatar
    23 posts
    Registered:
    02 Nov 2010
    02 Nov 2010
    Link to this post
    I have a question on Sitefinity search control. We are using the inbuilt Sitefinity serach control on our client website. I want to know that does this control take care of threats like cross site scripting, SQL injection ?
    Thanks !!
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    02 Nov 2010
    Link to this post
    Hello Biren,

    The only thing that the control does is setting a QueryString in the url. The control does not make any requests to the database or calls to any methods from our API.

    Kind regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Biren
    Biren avatar
    23 posts
    Registered:
    02 Nov 2010
    02 Nov 2010
    Link to this post
    Thanks for reply Ivan.
    Sorry for giving partial information in first message. We also use search result control to display the search result.

    So when user comes to our site & type in some keyword, the control sets querystring like - http://mysite.com/search-results.aspx?IndexCatalogue=indexname&SearchQuery=keywords. Then what happens ? I guess indexer will find all related pages & display them on search result control, right ? The indexer doesn't get this info from database ?

    When i try to search with text like - <script>alert('somebody was here!');</script>. The javascript alert pops out with the message. That is XSS. Similarly can anyone run SQL query ?

    Thanks,
    Biren

  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    02 Nov 2010
    Link to this post
    Hi Biren,

    This is really interesting, because if you type <script>alert('somebody was here!');</script> in the browser, the ASP.NET will automatically validate the request. HttpRequest.get_QueryString()  will be called and then HttpRequest.ValidateString which will thrown an error.
    You can additionally protect the website by using some client side validation on the TextBox control inside Sitefinity/ControlTemplates/Search/SearchBox.ascx

    Kind regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Register for webinar
4 posts, 0 answered