Hi We ran a report on our site and it has come up with security warnings. The concerned page uses Umbraco.Examine for searching content on the site. The query (passed in from the URL as a parameter) isnt being escaped or anything as such but wondered what the recommendation would be to resolve this? Here is a snippet of the code used var searchCriteria = Request["query"]; if (!string.IsNullOrEmpty(searchCriteria)) { string srch = Request["query"]; if (srch.ToLower() != "test".ToLower()) { if (ExamineManager.Instance.TryGetIndex("ExternalIndex", out var index)) { ..... I dont see an Examine config file under /config either (Umbraco 8)

I'm guessing this is an automated scanner that didn't like that you used

Request["query"];

. If so, then they need to clarify what exactly they think the security issue might be. Unlike SQL, there's no queries you can construct (as far as we know) that will give you access to data outside of your Examine index. Nor is there a way to send CRUD commands to Examine using the search criteria. So you will need to get clarification from the security people as to what the attack vector could be.

@Sebastiaan Yes i assume it was an automated scanner but they wont confirm. The feedback given was "Modify the scripts so that they properly escape arguments." Ive added @Html.Escape(Request["query"]); but that isnt doing a lot in comparison to before and after results (its almost the same) so if i entered something like "?query=+and+1=1" it prints the same back. My assumption was they may want it to escaped so it returns the special chars accordingly but not 100% sure. Not sure if the above helps?

Probably can't hurt, but you will never be able to search on any characters that get escaped. Maybe those would be dropped anyway, I am not sure. But yes, that sounds like an automated scanner and even if it is not, I would challenge them on their conclusion. It is really good feedback some of the time, but in this case, I feel like they don't really know enough of the context. If your search results are still fine and this escaping pleases them then so be it.