Use Google Analytics to track AjaxSearch - My Forums

Re: Use Google Analytics to track AjaxSearch

scorche — Jun 06, 2010, 03:11 PM

just wanted to post my edit...

load this snippet in the searchresults page:

 
/*  */
 
';
}
else {
$onload = '';
}
return $onload;
?>

Re: Use Google Analytics to track AjaxSearch

mrhaw — Apr 13, 2010, 01:22 PM

A better approach:

Quote from: vlad.dumitrica at Apr 13, 2010, 05:45 PM

As Google Analytics relies on JavaScript, I think it’s fair to play a little with the action URL. Basically, what I’m trying to suggest is that I [tt]POST[/tt] the form to the URL that should’ve been constructed if the form would’ve had the [tt]method[/tt] attribute set to [tt]GET[/tt].

You can add an [tt]onsubmit[/tt] handler to the form that roughly looks like this (I apologize I hard-coded everything but you get the idea):
onsubmit="this.action += '?search=' + encodeURI(document.getElementById('ajaxSearch_input').value); return true;"
Hope it helps.

Cheers,
Vlad

Re: Use Google Analytics to track AjaxSearch

mrhaw — Mar 19, 2010, 05:05 PM

Quote from: Everett at Mar 19, 2010, 09:43 PM

There is a difference between CSRF and XSS attacks. The CSRF protections available in the manager don’t apply to the AjaxSearch in the front end, I don’t think...

I should have highlighted
Quote from: Announcement

... In addition, Ajax Search was updated to version 1.8.4 to prevent content injection when JS is off in the browser...

Quote from: Everett at Mar 19, 2010, 09:43 PM

...Stripping tags is one part of it, but there are html equivalents that slip by the tag stripping.

I’ve tried that on my site and it would only show the code (the html entities) and NOT the output of them.
So that is something for the next stage => Ajax Search snippet... which you already have access to (BEFORE my code)
in the url address bar.

// In my case, I really do want to track those searches. I have additional plugins dealing with this to get IP
and being able to deny in htaccess.

Ajax Search sanitizes the data: http://svn.modxcms.com/svn/tattoo/tattoo/releases/1.0.2/assets/snippets/ajaxSearch/classes/search.class.inc.php
Then you can set up your own config with your own badwords and rules:
http://modxcms.com/forums/index.php/topic,30405.0.html
http://modxcms.com/forums/index.php/topic,37607.msg226964.html#msg226964

Re: Use Google Analytics to track AjaxSearch

Everettg_99 — Mar 19, 2010, 04:43 PM

There is a difference between CSRF and XSS attacks. The CSRF protections available in the manager don’t apply to the AjaxSearch in the front end, I don’t think...

The forum article you referenced points out the vulnerability clearly. E.g if you type the following code into your AjaxSearch field:

Search+here...&advsearch=>">

And that search term was somehow printed to page (e.g. inside of a GA tag), then you’d better ensure that the data is filtered correctly. Stripping tags is one part of it, but there are html equivalents that slip by the tag stripping.

A good reference for this is here:
http://ha.ckers.org/xss.html

If you start pasting the examples into your form inputs and submitting your forms and you start seeing javascript pop-ups, then you know that your forms are vulnerable.

Re: Use Google Analytics to track AjaxSearch

einsteinsboi — Mar 19, 2010, 03:14 PM

Nice one mrhaw! Rock on!

Re: Use Google Analytics to track AjaxSearch

mrhaw — Mar 19, 2010, 03:09 PM

Yes indeed! Thanks Everett!
Security is #1 priority.

Quote from: http://modxcms.com/forums/index.php/topic,41882.0.html

Security
Multiple areas were improved in the 1.0.1 release to help protect against unlikely but possible CSRF attacks in the Manager. In addition, Ajax Search was updated to version 1.8.4 to prevent content injection when JS is off in the browser and the Manager password reminder has been updated to prevent forged logins under different usernames. 1.0.2 addresses an issue with Webuser password change requests.

( http://modxcms.com/forums/index.php/topic,37298.msg247946.html#msg247946 )

http://modxcms.com/forums/index.php/topic,40576.msg244837.html#msg244837

Re: Use Google Analytics to track AjaxSearch

Everettg_99 — Mar 19, 2010, 02:50 PM

That’s good -- any time you print user-date to a page it’s a prime attack vector. Just to be clear: the cross site scripting vulnerabilities are not the same as SQL injection.

Re: Use Google Analytics to track AjaxSearch

mrhaw — Mar 19, 2010, 01:42 PM

As we are not doing anything to the database (in this stage) not much would
be accomplished other than breaking the javascript for one’s own
view.

But I updated the code above:

Re: Use Google Analytics to track AjaxSearch

Everettg_99 — Mar 19, 2010, 11:36 AM

Isn’t this a bit dangerous to be printing user submitted data directly into your page? I’m thinking cross-site scripting here...

Re: Use Google Analytics to track AjaxSearch

mrhaw — Mar 03, 2010, 04:46 PM

:)
AJAX or loading an iframe could make it smoother...

But AjaxSearch 1.9.0 features:
Quote from: http://www.modx2.wangba.fr/index.php?id

$_GET is now possible with the templates.

Still in BETA http://www.modx2.wangba.fr/index.php?id=122