<![CDATA[ Use Google Analytics to track AjaxSearch - MODX Community Forums]]> https://forums.modx.com/thread/?thread=48208 <![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278897
load this snippet in the searchresults page:
<?php
if (isset($_POST['search'])) {
$onload = '
<script type="text/javascript"> 
/* <![CDATA[ */
function init() {
	location.replace("[~[*id*]~]?AS_search='.$_POST['search'].'");
}
window.onload = init();
/* ]]> */
</script> 
';
}
else {
$onload = '';
}
return $onload;
?>



]]>
scorche Jun 06, 2010, 03:11 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278897
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278896
Quote from: vlad.dumitrica at Apr 13, 2010, 05:45 PM

As Google Analytics relies on JavaScript, I think it’s fair to play a little with the action URL. Basically, what I’m trying to suggest is that I [tt]POST[/tt] the form to the URL that should’ve been constructed if the form would’ve had the [tt]method[/tt] attribute set to [tt]GET[/tt].

You can add an [tt]onsubmit[/tt] handler to the form that roughly looks like this (I apologize I hard-coded everything but you get the idea):
onsubmit="this.action += '?search=' + encodeURI(document.getElementById('ajaxSearch_input').value); return true;"


Hope it helps.

Cheers,
Vlad
]]>
mrhaw Apr 13, 2010, 01:22 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278896
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278895 Quote from: Everett at Mar 19, 2010, 09:43 PM

There is a difference between CSRF and XSS attacks. The CSRF protections available in the manager don’t apply to the AjaxSearch in the front end, I don’t think...

I should have highlighted
Quote from: Announcement
... In addition, Ajax Search was updated to version 1.8.4 to prevent content injection when JS is off in the browser...


Quote from: Everett at Mar 19, 2010, 09:43 PM

...Stripping tags is one part of it, but there are html equivalents that slip by the tag stripping.

I’ve tried that on my site and it would only show the code (the html entities) and NOT the output of them.
So that is something for the next stage => Ajax Search snippet... which you already have access to (BEFORE my code)
in the url address bar.

// In my case, I really do want to track those searches. I have additional plugins dealing with this to get IP
and being able to deny in htaccess.

Ajax Search sanitizes the data: http://svn.modxcms.com/svn/tattoo/tattoo/releases/1.0.2/assets/snippets/ajaxSearch/classes/search.class.inc.php
Then you can set up your own config with your own badwords and rules:
http://modxcms.com/forums/index.php/topic,30405.0.html
http://modxcms.com/forums/index.php/topic,37607.msg226964.html#msg226964
]]>
mrhaw Mar 19, 2010, 05:05 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch?page=2#dis-post-278895
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278894
The forum article you referenced points out the vulnerability clearly. E.g if you type the following code into your AjaxSearch field:

Search+here...&advsearch=>"></title></iframe></script></form></td></tr><br><iFraMe+src%3Dhttp://www.HackerSafe.com+width%3D900+height%3D1100></IfRamE>


And that search term was somehow printed to page (e.g. inside of a GA tag), then you’d better ensure that the data is filtered correctly. Stripping tags is one part of it, but there are html equivalents that slip by the tag stripping.

A good reference for this is here:
http://ha.ckers.org/xss.html

If you start pasting the examples into your form inputs and submitting your forms and you start seeing javascript pop-ups, then you know that your forms are vulnerable.]]>
Everettg_99 Mar 19, 2010, 04:43 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278894
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278893 einsteinsboi Mar 19, 2010, 03:14 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278893 <![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278892
Security is #1 priority.

Quote from: http://modxcms.com/forums/index.php/topic,41882.0.html
Security
Multiple areas were improved in the 1.0.1 release to help protect against unlikely but possible CSRF attacks in the Manager. In addition, Ajax Search was updated to version 1.8.4 to prevent content injection when JS is off in the browser and the Manager password reminder has been updated to prevent forged logins under different usernames. 1.0.2 addresses an issue with Webuser password change requests.
( http://modxcms.com/forums/index.php/topic,37298.msg247946.html#msg247946 )

http://modxcms.com/forums/index.php/topic,40576.msg244837.html#msg244837]]>
mrhaw Mar 19, 2010, 03:09 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278892
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278891 Everettg_99 Mar 19, 2010, 02:50 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278891 <![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278890 be accomplished other than breaking the javascript for one’s own
view.

But I updated the code above:

<?php
$getsearch = '?AS_search=' . strip_tags($_POST['search']);
return $getsearch;
?>


smiley
]]>
mrhaw Mar 19, 2010, 01:42 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278890
<![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278889 Everettg_99 Mar 19, 2010, 11:36 AM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278889 <![CDATA[Re: Use Google Analytics to track AjaxSearch]]> https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278888 AJAX or loading an iframe could make it smoother...

But AjaxSearch 1.9.0 features:
Quote from: http://www.modx2.wangba.fr/index.php?id
$_GET is now possible with the templates.

Still in BETA http://www.modx2.wangba.fr/index.php?id=122]]>
mrhaw Mar 03, 2010, 04:46 PM https://forums.modx.com/thread/48208/use-google-analytics-to-track-ajaxsearch#dis-post-278888