Deal with handling XSS issues in the query #223

yegg · 2013-10-07T15:59:07Z

The query can have XSS bugs in it and so should not be displayed directly. I'm not sure if we currently offer them an escaped version like we have in the backend q_escape. If not we should and it can mimic the backend function.

Also, we need to add to the docs about not returning the query directly in html. For non-HTML we already escape it.

moollaza · 2014-03-17T19:59:50Z

An explanation about not returning the raw query in the IA's HTML has been added to the docs in this: duckduckgo/duckduckgo-documentation#39

moollaza · 2014-03-17T20:01:59Z

Moving this issue to the https://github.com/duckduckgo/duckduckgo repo as the fix would need to be implemented there.

jagtalon · 2014-03-21T19:22:06Z

@moollaza Cool!

ghost assigned moollaza Oct 7, 2013

moollaza mentioned this issue Jan 22, 2014

Explain why you shouldn't return the unescaped query as HTML in Goodies duckduckgo/duckduckgo-documentation#33

Closed

moollaza closed this as completed Mar 17, 2014

moollaza mentioned this issue Mar 17, 2014

Deal with handling XSS issues in the query duckduckgo/duckduckgo#66

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deal with handling XSS issues in the query #223

Deal with handling XSS issues in the query #223

yegg commented Oct 7, 2013

moollaza commented Mar 17, 2014

moollaza commented Mar 17, 2014

jagtalon commented Mar 21, 2014

Deal with handling XSS issues in the query #223

Deal with handling XSS issues in the query #223

Comments

yegg commented Oct 7, 2013

moollaza commented Mar 17, 2014

moollaza commented Mar 17, 2014

jagtalon commented Mar 21, 2014