I've got a simple search script which returns results based on a query string from the URL:
$filter_query = request_param('query');
if ($filter_query) {
$topic_filters['query'] = $filter_query;
$smarty->assign('query', $filter_query);
}
However currently this is exposed to XSS and abuse as its not sanitising the input of 'query'.
Im using Smarty Templates, are there any inbuilt functions to do this automatically?
Inside your Smarty template, use the escape modifier to escape the output against XSS attacks. By default it escapes & " ' < >. If you need additional entities encoded, use the :htmlall parameter to the escape modifier. (see the documentation)
{* Inside your template... *}
This is the value of {$query|escape}
Otherwise you can escape it before assigning to Smarty with htmlspecialchars()
// Or beforehand in PHP, which protects you from forgetting to do it in your template
// if you use the same variable in many locations.
$smarty->assign('query', htmlspecialchars($filter_query));
I had a similar problem: the code
onmouseover="action({$keyid},'{$label}');"
caused javascript errors when $label contained quotes. I solved using the Smarty command escape:'quotes'. Please note that in this case, |escape alone would not have solved, because instead of replacing ' with \', it would have replaced ' with ' ;
So I edited my code to:
onmouseover="action({$keyid},'{$label|escape:'quotes'}');"
and it works! Hope it will be useful to someone...