
Check your search box for XSS exploits - ajbatac
http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/
======
tptacek
Don't just check your search box inputs (everyone checks that). The classic
problem with search is that search _results_ can trigger XSS.

Remember there are two approaches to dealing with XSS:

* _Input filtering_ , where you disallow people from entering live HTML metadata into inputs, or neutralize those inputs with entity encoding.

* _Output filtering_ , where you neutralize HTML when rendering content that could have originated from users.

Both are important, but output filtering is particularly easy to do
inconsistently, and an extremely common example of that is data that is nicely
output filtered in the "show" action, but that isn't filtered either in the
search list summary or the search clickthrough.

Remember that XSS vulnerabilities in search results are _persistant_ (or
_stored_ ) XSS vulnerabilities, which are worse than reflected vulnerabilities
which only work when someone clicks a malicious link.

~~~
noodle
you'd be surprised at the number of people who don't sanitize their inputs,
even good developers. sometimes you just forget unless you have the concept
drilled into your head.

