I've got a simple search script which returns results based on a query string from the URL:
$filter_query = request_param('query');
if ($filter_query) {
$topic_filters['query'] = $filter_query;
$smarty->assign('query', $filter_query);
}
However currently this is exposed to XSS and abuse as its not sanitising the input of 'query'.
Im using Smarty Templates, are there any inbuilt functions to do this automatically?
分享 Inside your Smarty template, use the escape modifier to escape the output against XSS attacks. By default it escapes & " ' < >. If you need additional entities encoded, use the :htmlall parameter to the escape modifier. (see the documentation)
{* Inside your template... *}
This is the value of {$query|escape}
Otherwise you can escape it before assigning to Smarty with htmlspecialchars()
// Or beforehand in PHP, which protects you from forgetting to do it in your template
// if you use the same variable in many locations.
$smarty->assign('query', htmlspecialchars($filter_query));
