Quote from: Everett at Mar 19, 2010, 09:43 PM
There is a difference between CSRF and XSS attacks. The CSRF protections available in the manager don’t apply to the AjaxSearch in the front end, I don’t think...
I should have highlighted
Quote from: Announcement... In addition, Ajax Search was updated to version 1.8.4 to prevent content injection when JS is off in the browser...
Quote from: Everett at Mar 19, 2010, 09:43 PM
...Stripping tags is one part of it, but there are html equivalents that slip by the tag stripping.
I’ve tried that on my site and it would only show the code (the html entities) and NOT the output of them.
So that is something for the next stage => Ajax Search snippet... which you already have access to (BEFORE my code)
in the url address bar.
// In my case, I really do want to track those searches. I have additional plugins dealing with this to get IP
and being able to deny in htaccess.
Ajax Search sanitizes the data:
http://svn.modxcms.com/svn/tattoo/tattoo/releases/1.0.2/assets/snippets/ajaxSearch/classes/search.class.inc.php
Then you can set up your own config with your own badwords and rules:
http://modxcms.com/forums/index.php/topic,30405.0.html
http://modxcms.com/forums/index.php/topic,37607.msg226964.html#msg226964