Recently, in one of the website, I saw a search box in which when I entered a query, the site displayed the query results along with my search query. i.e. If I searched for the term ‘tips’, it returned the results as,
Showing the results for the query ‘tips’ :
…here goes some search results..
The problem I saw with this approach of showing the query term also in the results is, at first my query term is not validated at all for any invalid inputs. I tried to insert some JavaScript code with the search query, like ‘<script>alert(‘bad approach!’);</script>. The first ‘ character is to close the ‘ character showed in the search results page. So, without validating this input, the site tried to form the output string as:
Showing the Search results for the query ‘‘<script>alert(‘bad approach’);</script>:’
(The text in bold is my query string and see how it turned the plain HTML to a executable JavaScript!)
And when the search results returned by the site, it opened an alert box as I expected.
Showing the user input as is in a website will be dangerous for any site. User input should be validated for any kind of malicious codes/HTML tags etc. This again re-emphasize that “every input is evil, until proved otherwise!”
