0

I have a web application, which has a search form. The user entered his query string into the input field and submitted the form using the submit button. Next, the Result page shows the search result.

The result page has an "endless scrolling" feature. This means, when reaching the end of the page, now results are loaded. So I have to send the 2nd query to the search engine with the same query string.

Currently, I see the following options:

1.) Using session-Parameter:

The first search request (coming from the search form) stores all search parameters, including the user's query string, in a session storage and the "endless scroll"-javascript function simply calls the "search"- URL without any additional GET-Parameter

Pro: no direct XSS problems (?)

Contra: the users mostly have to explicit reset his search/remove querystring from session parameter by doing an action.

2.) Echoing the query string in result page:

During the generation of the search result page, the user's query string is rendered into the webpage. For example in a hidden field or as a javascript parameter. So javascript can fetch this query string and use this as a query parameter or submit the form using ajax.

Pro: when re-entering the page, no old search data is loaded from the session store - it's more transparent for the user. No "reset-session-search-parameter" mechanism is needed

Contra: probably it's vulnerable for XSS, even when HTML is encoded... (?)

My questions: a.) Are these correct assumptions of pro and contra? b.) Who would you solve that problem?

Pouya Samie
  • 3,718
  • 1
  • 21
  • 34
The Bndr
  • 13,204
  • 16
  • 68
  • 107
  • _“During the generation of the search result page, the users query string is rendered into the webpage. For example in an hidden field or as an javascript parameter.”_ - or you simply take it from the `location` object, where you have it available from the very beginning ... And since that means, you don’t need to “output” it anywhere else, any XSS concerns specifically concerning that are void. – CBroe Aug 21 '17 at 10:49
  • @CBroe you mean: fetching the GET parameter using javascript, like here: https://stackoverflow.com/questions/901115/how-can-i-get-query-string-values-in-javascript ?? – The Bndr Aug 21 '17 at 12:25

1 Answers1

0

You definitely have some javascript on your page if you are doing endless scrolling, so I would do something like the following:

Pass search query from server into the page content, like:

<script type="application/json" id="current-filter">
{query: "search for me"}
</script>

When scrolling evet is triggered, read the filter and send the request:

var filter = JSON.parse(document.getElementById('current-filter').innerHTML);
// send the form
t1gor
  • 1,244
  • 12
  • 25