We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 849
    • 19 Posts
    Edit: solved, http://modxcms.com/forums/index.php/topic,37607.msg240505.html#msg240505
    Hi, I have used AjaxSearch weeks ago and I have found this bug, just realized it would be nice to ask it here.

    I was trying out some search terms until I saw something weird when I used the search term "$20", which weirdly showed all of the documents under the parent documents I have specified, sorted by item id

    And I have discovered it does do the same thing for each from $10 - $99, but not on $100 and up. I am worried that this kind of behavior can be a glitch that can be used or aid in attacks.

    Here is the header form code: (non ajax)
    [!AjaxSearch? &tplLayout=`header_form`&ajaxSearch=`0`&AS_landing=`14`&tplResult=`search_result`&tvPhx=`tv:displayTV`&parents=`7,12` !]


    Here is the landing page code:(ajax form + non-ajax result[hides on ajax search use])
    [!AjaxSearch?tplAjaxResult=`search_result`&tplLayout=`ajax_form`&tvPhx=`tv:displayTV`&parents=`7,12`&withTvs=`+:series,brand,category,artist`!]
    
    [!AjaxSearch?ajaxSearch=`0`&tplResult=`search_result`&tplResults=`non_ajax_results`&AS_showResults=`1`&AS_showForm=`0`&tvPhx=`tv:displayTV`&parents=`7,12`&withTvs=`+:series,brand,category,artist`!]


    As it shows above, I did tried to remove the other TVs, but it doesn’t remove this behavior, is there anything wrong with my implementation or something ? thanks in advance.
    • I believe that AjaxSearch can’t do a search on only 3 characters; this is actually a limitation of the database. (unless there is a work-around that I’m not aware of?)
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 20413
        • 2,877 Posts
        If you add ’$’ to badwords
        If you add: $modRegExArray[] = ’~\$(.*?)~’; // $something
        like I did in my config you can exclude it. It will search the word BUT excluding $

        //Parameters in snippet call on the results page: &config=`mrhaw` &stripInput=`myOwnStripInput`
        my config file inside the config folder is named this mrhaw.config.php - Using AjaxSearch 1.8.1

        <?php
        // How to improve the default stripInput function to strip some new input strings ?
        // In this example we would like strip +someting+ or *something* input strings
        // for that we define a new stripInput function: myOwnStripInput
        // we reuse the functions stripslashes, stripTags and stripHtml provided by AS
        // we add the function stripOtherTags
        // in the snippet call add &stripInput=`myOwnStripInput` or defined it in this config file
        
        $debug = -2; // to allow a debug trace with firePhp
        
        if (!function_exists('myOwnStripInput'))
        {
        function myOwnStripInput($searchString) {
            if ($searchString !== ''){  
        
              // Remove escape characters
              $searchString = stripslashes($searchString);
        
              // Remove modx sensitive tags
              $searchString = stripTags($searchString);
        
              // Remove +something+ substring too
              $searchString = stripOtherTags($searchString);  
        
              // Strip HTML tags
              $searchString = stripHtml($searchString);  
              $searchString = stripHtmlExceptImage($searchString);   
            }  
            return $searchString;
          }
        }
        
        if (!function_exists('stripOtherTags'))
        {
          function stripOtherTags($text){
          // Regular expressions to remove +something+
          $modRegExArray[] = '~\+(.*?)\+~';   // +phx+
          $modRegExArray[] = '~\*(.*?)\*~';   // *something*
          $modRegExArray[] = '~\!(.*?)\!~';   // !snippet!
          $modRegExArray[] = '~\$(.*?)~';   // $something
          // Regular expressions to remove some bad words
          $badWords = array('div','phx','pagetitle','longtitle','getfield');        // any bad words you want
          foreach($badWords as $bw) $modRegExArray[] = '~'.$bw.'~';   
          
          // Remove modx sensitive tags
          foreach ($modRegExArray as $mReg)$text = preg_replace($mReg.'i','',$text);
          return $text;
          }
        }
        ?>


        But Susan is right on target because a search with 2 spaces work for a single letter...
        and the $ - is doing the same trick as what the spaces did for the search...
          @hawproductions | http://mrhaw.com/

          Infograph: MODX Advanced Install in 7 steps:
          http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

          Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
          http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
          • 849
          • 19 Posts
          Quote from: sottwell at Jul 12, 2009, 06:34 AM

          I believe that AjaxSearch can’t do a search on only 3 characters; this is actually a limitation of the database. (unless there is a work-around that I’m not aware of?)

          Yeah, 3 is the default minimum character count for it, and it is actually happening on exactly 3 character query, like "$20" , "$50", "$77".
            • 849
            • 19 Posts
            Ok I have solved this problem, I have just found out that the weird behavior is because of the un`escaped search term that is being used on the preg_replace, where $ and alot other special characters are requiring to be escaped to work properly

            Around line 314 of assets\snippets\ajaxSearch\classes\search.class.inc.php, I have inserted a preg_quote before the preg_replace,
                    /* -- EDITED by Albert Diones, preventing special characters from preg_replace $replacement --*/
                    $quoted_searchTerm=preg_quote($searchTerm);
                    $having[]= preg_replace('/word/', $quoted_searchTerm, $havingSubClause);
                    /* -- End Edited, original: $having[]= preg_replace('/word/', $searchTerm, $havingSubClause); -- */
            
              • 20413
              • 2,877 Posts
              Sweet you should PM coroico this!!
                @hawproductions | http://mrhaw.com/

                Infograph: MODX Advanced Install in 7 steps:
                http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

                Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
                http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
                • 5811
                • 1,717 Posts
                Thks a lot Albert for this fix.

                The bug is now registered as AJAXSEARCH-41.

                Quick fixes for AjaxSearch 1.8.3a post updated with this fix.
                  • 22851
                  • 805 Posts
                  Salut Coroico.

                  I just found out that I had the same bug in YAMS, but I fixed it using what I believe to be a better method. By using preg_quote, you could potentially end up quoting characters that don’t need to be, which could introduce unwanted slashes into your replacement value. The preg_replacement_quote function provided in the linked blog item just escapes the characters that are special to the replacement field.
                    YAMS: Yet Another Multilingual Solution for MODx
                    YAMS Forums | Latest: YAMS 1.1.9 | YAMS Documentation
                    Please consider donating if you appreciate the time and effort spent developing and supporting YAMS.