Developer forum

Let me add the following points and questions.

1. The 404 handling is odd in this scenario. Why?
2. As i understand now this due to a sql injection check is triggered. If this is true i expect a different error code and a message.
3. I think that when searching on this string it should be possible to handle this is a safe way in search weighted. It should be possible to search with special characters including others. What is the reason that this is not allowed? Can you address this?
4. Odd enough when you search for "<test >" (note the space) then i do NOT get the page 404. Instead it shows the page without search weighted search results or feedback. Why do i get this odd response?

These questions are still valid for DW 8.3.0.2. I have retested these issues.

Hi Remi

Using html tags in the URL is considered html injection and is therefore catched by Dynamicwebs antispam system - that is not SQL Injection system, but the XSS/JS/HTML injection prevention system. We could raise an exception but have chosen a 404 to avoid giving notice to potential hackers on what happens.

The same would happen on a regular asp.net webform, except that would give you a "potentially dangerous request" exception unless disabled in web.config.

So - no tags in querystrings. You can disable this behaviour in the management center, security: Disable sql injection checks. Which of course is not recommended.

Could you please describe the scenario where you need to search HTML? Just to understand what the correct solution would be.

Anyways, just changed the search module when you do a post and not a get when searching, it will allow the search of html tags.

BR Nicolai
 

Actually we do not need to search on the html source, this is not visible for the end user.
 

For example:
If a paragraph has a code sample the html tags are html encoded.
< b >this is bold </ b >
< i >this is italic</ i >

When i search for "< b >" i want to find the paragraph containing the bold tag which is html encoded.
That would mean that for fields containing html, before searching we need to html encode the search string. This would match the paragraph containing html samples which are html encoded.

An end user should be able to search on any string. The system needs to be aware we are handling an unsafe string and properly encode it where needed. So for html fields html encode it and not for simple text fields where exact matching is expected.

I had to edit my post. The forum is also having issues with written html tags :(

The post above is formatted with tags again but can not safely edit it. I suggest you review html encoding on the forum post as well.

As a workaround i added some spaces in the tags to make it formatted as intended. 

Does this make sense? Any update?

I get the point, not sure why you would search for that. Searching for <a> in Google etc. also just searches for 'a'

But basically you want the search to search for an HTML encoded value of whatever is inputtet? (Which we already do, but removes html entities)

We could potentially do that, but it could cause a lot of problems. And I do not really understand what problem needs to be solved.

What is the real life scenario you are trying to achieve - maybe there is another way...

BR Nicolai

You are right about google. searching for < video > matches video sites not the html tag for example.

Unfortunately when searching on this string in DW i get a white page or 404. Then i would expect the search to strip the characters '<' and '>' and search with "video" string.

Can this be implemented in search weighted?

Yes, that is what we did with the first feature mentioned in one of the posts.

If you change the form from doing a get to a post it will Work. Or bypass injection checks for parameters q in the security page in MC.

Or you could do a quick check in JS in the template.

The White page comes from Dynamicwebs built in security which do not allow html tags in querystring parameters. This can be disabled or bypassed in MC.

BR Nicolai

I see now then we should be able to manage this. Will look into changing search into a post. Will also look at bypassing 'q'parameter from MC.

From which version is this possible? Dw 8.2 and 8.3?

You need 8.3.0.5 for all of it.

BR Nicolai