Note that multi-byte characters are no special characters, a distinction important when it comes to sanitization.<\/p>\n\n\n\n
It\u00b4s all about trust<\/h4>\n\n\n\n
It seems contradicting to XSS sanitize<\/a> all output but at the same time enable markers that in order to work need to be interpreted as HTML format tags. But as sanitization and marking hits are different actions, it is no real contradiction, but just a matter of trust meaning that any input<\/strong> is treated as untrustworthy<\/strong> data, whereas the markers<\/strong> inserted by machine are trusted<\/strong> code<\/p>\n\n\n\n In the context of search hits the following pieces of data were or are input<\/p>\n\n\n\n As the text to scan was persisted, it first needs to be retrieved from the persistence layer. As described in the how-to about XSS protection, this text wasn\u00b4t sanitized on persisting in order to retain the original input regardless of international or special characters. Looking ahead to the hit markers, only the latter is valid, because any untrustworthy data needs to be sanitized before being output. So the search algorithm searches the sanitized expression in the sanitized text and memorizes start and end positions of matches.<\/p>\n\n\n\n If there are matches, the hit marker algorithm inserts\/ injects HTML font format tags into the sanitized text at the memorized start and end positions. Suppose a text to be My aunt is called “Joanne”<\/em> and a search expression to be “Joa<\/em>, the marked text could look like follows (backslashes inserted in order to prevent interpretation of special characters).<\/p>\n\n\n\n My aunt is called <font class=”hit”>&\\quot;Joa<\/font>nne&\\quot;<\/p>\n\n\n\n As can be seen, the trusted format tags are interpreted whereas the untrustworthy text input is not.<\/p>\n\n\n\n The following example uses the Housekeeping web application<\/a>. It performs a complex search using combined search expressions containing multi-byte characters and operands (“||” is interpreted as OR).<\/p>\n\n\n\n Remark: hits are distinguished as being global (orange), local (blue) and global as well as local (cyan).Any input data is untrustworthy<\/h4>\n\n\n\n
In contrary, the search expression has been entered, but typically is not persisted, but just cached in memory. There are two possible ways to match the search expression and the text<\/p>\n\n\n\nHit markers are trusted<\/h4>\n\n\n\n
Example<\/h4>\n\n\n\n
![\"A](\"http:\/\/reichartonline.de\/content\/wp-content\/uploads\/2019\/04\/20190407_Housekeeping_xss_combined_search.png\")
<\/a>
As the XSS<\/a> code demonstrates, the sanitized HTML text is not interpreted, but the hit markers are.<\/p>\n\n\n\nSummary<\/h4>\n\n\n\n
![\"Mark](\"http:\/\/reichartonline.de\/content\/wp-content\/uploads\/2019\/04\/MarkHits.png\")
<\/a>