Ampersand (&) breaks search and causes error

[woop]

Hi! I noticed a suspicious search string in my website's logs.

Someone searched for "&", which causes an error.

I noticed that the same string causes an error on the Skyscrapers demo site: http://processwire.com/skyscrapers/search/

Is this something to something to be worried about?

--

Error: Exception: Unknown Selector operator: '%=&' -- was your selector value properly escaped?

[diogo]

GET on a form should turn & into %26 and prevent this problem. What method are you using?

[woop]

GET on a form should turn & into %26 and prevent this problem. What method are you using?

I'm using GET. Should be the same code as the skyscraper profile, I think.

head.inc:

<form id='search-form' action='<?php echo $config->urls->root?>search/' method='get'>
   <input type='text' name='q' id='search_query' placeholder="Search..." value='<?php echo htmlentities($input->whitelist('q'), ENT_QUOTES, 'UTF-8'); ?>' />
   <button type='submit' id='search_submit'>Search</button>
</form>

search.php:

if($q = $sanitizer->selectorValue($input->get->q)) {

  }

[diogo]

Hm, it's the responsibility of the browser to do this. What to you get on the url? is the & encoded or not? Can you also try in another browser?

[woop]

Same problem in Chrome, at least. URL is encoded, see this as an example: http://processwire.com/skyscrapers/search/?keywords=%26&city=&height=&floors=&year=&submit=Search

[diogo]

True, it is being encoded. Must be a problem with the selectors. If you do it while logged i you will get a useful message that should confirm this.

To solve this you can pass the query to $sanitizer->selectorValue($value)  and make the search only if it returns a value:

// (not tested)

$query = $sanitizer->selectorValue($query);

if (!$query) // not a valid search
 

[woop]

Thanks! But isn't that what I'm already doing in search.php?

if($q = $sanitizer->selectorValue($input->get->q)) {
 // do search
} else {
 // don't search
}

[diogo]

Sorry, I'm not looking at the code, and didn't noticed that you posted it above. And yes, it's the same thing... and it's strange because that should prevent any error.

Anyway, and answering your question, I don't think it's something you should worry about.

[woop]

Ok thanks! The same problem appears in Ryan's Skyscraper template - so maybe it's a core issue, then? I'll leave it for now

[Soma]

That's a strange one. But There's anyway a couple strange things when using PW search with selectors sometimes.

On my new blog http://soma.urlich.ch this doesn't happen and I have the same code. When I search for & it get's transformed to "&" and it finds results that contain no visible "&".

On all other PW sites there's an error.

On processwire.com if you enter "test&" you get some results and the first search entry "

• iPhone test

is strange as it is a page that isn't viewable!

Anyway, searching with like "some & string" isn't a problem, and maybe just a min char count test on the search form could easily prevent error for things like "&".