Blocking special characters in search

berni7473

30-04-2019

Hi ,

I have created a search component which performs a fulltextsearch. I am able to perform search for a string however, if i search for a string with special characters the search is still working. I need to block the search from happening i.e. if a user does a search with any special characters, the result should be a "Page not found" or a "Could not find what you're looking for" message.

The search component is a created taking reference from the searchpromote component in aem and it is in JSP.

Please let me know if there are any useful inputs on the same.

Regards,

Bernadine Soman

smacdonald2008Veena_07Arun Patidar

Accepted Solutions (1)

Accepted Solutions (1)

berni7473

02-05-2019

Thanks Arun, I tried doing the same with regex expressions and it worked. Using the Pattern and Matcher , I achieved the result I wanted. The key challenge here, was that I was not able to seperate the query String into actual characters and special characters i.e. if I entered any string such as "Test$%$#&" the search would still happen, I wanted it to be blocked even before the string is encoded into a url. Finally the following worked for me:

String searchTerm = Search.getQueryParameter(search.getQueryString(),"q");

Pattern pattern = Pattern.compile("[<>\'/=]");

Matcher m = pattern.matcher(URLDecoder.decode(searchTerm, "UTF-8"));

boolean value = m.find();

pageContext.setAttribute("value",value);

pageContext.setAttribute("searchterm",StringUtils.isNotBlank(searchTerm) && !searchTerm.equals("*") && value== false ? URLDecoder.decode(searchTerm, "UTF-8") : "");

This is in JSP of the component.

Thanks Everybody for your helpful insights.

Answers (7)

Answers (7)

Arun_Patidar

MVP

02-05-2019

Do you have your code snippet in /libs/cq/searchpromote/components/results/results.jsp, if yes then you can try below approach to update code near line 36

if (search.getQueryString() != null) {

       Query query = search.getQuery();

        long totalResults = 0:

        long totalPages = 0;

        long resultsOnCurrentPage = 0;

        String currentPageNumber = "0";

String searchTerm = Search.getQueryParameter(search.getQueryString(),"q");

String iChars = "!@#$%^*";

if(!searchTerm.matches(".*[!@#$%^*].*"))

{ 

     totalResults = query.getTotalResults();

    resultsOnCurrentPage = search.getResults().size();

}

I didn't find any snippet and I did not tried this but you can give a shot.

May be you need to check match method with debugger.

      

berni7473

01-05-2019

Thanks for the insight. The check which you are saying for the special characters, that is exactly what I'm wanting to do. This is the snippet I have in the jsp:

String searchTerm = Search.getQueryParameter(search.getQueryString(),"q");

pageContext.setAttribute("searchterm",StringUtils.isNotBlank(searchTerm) && !searchTerm.equals("*") ? URLDecoder.decode(searchTerm, "UTF-8") : "");

Now here before it goes to the pageContext I need to add a check, which is where I am struggling. Is there any snippet or any kind of reference which I can take to perform the special character check here?

Regards,

Bernadine Soman

Arun_Patidar

MVP

30-04-2019

at aem side you need to write a check for special characters in /libs/cq/searchpromote/components/init.jsp

I would recommend you to do it client side to avoid server side processing.

If you are facing the issue with URL encoding you can try decoding query before validating and please check regex as well.

Tryit Editor v3.6

let me know if you need help with regex.

berni7473

30-04-2019

I am already using the regex expression but then when I try any other string with special characters the search is still working.

I want to block the search for special characters in the query term itself from aem level.

berni7473

30-04-2019

Not exactly, I want to block a few characters from the search. Suppose I have the query string as "text$#%file&*alert(1)", now when I search for this the special characters in the url are replaced by %22%32 or something like this because of the url decoder.

I want this to be blocked.

Arun_Patidar

MVP

30-04-2019

I think you can do this using front end (e.g. jquery or javascript).

for the search input field, apply regex validation or special character check, if the input contains invalid characters, display error page or some info otherwise submit the form to get search results.