Home/ Questions/Q 6752515
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T13:03:14+00:00

I’ve got a simple search script which returns results based on a query string

  • 0

I’ve got a simple search script which returns results based on a query string from the URL:

$filter_query = request_param('query');
if ($filter_query) {
  $topic_filters['query'] = $filter_query;
  $smarty->assign('query', $filter_query);
}

However currently this is exposed to XSS and abuse as its not sanitising the input of ‘query’.

Im using Smarty Templates, are there any inbuilt functions to do this automatically?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Inside your Smarty template, use the escape modifier to escape the output against XSS attacks. By default it escapes & " ' < >. If you need additional entities encoded, use the :htmlall parameter to the escape modifier. (see the documentation)

    {* Inside your template... *}
This is the value of {$query|escape}

    Otherwise you can escape it before assigning to Smarty with htmlspecialchars()

    // Or beforehand in PHP, which protects you from forgetting to do it in your template
// if you use the same variable in many locations.
$smarty->assign('query', htmlspecialchars($filter_query));
    • 0