Sanitizing Search Input - BloomReach Experience - Open Source CMS

This article covers a Hippo CMS version 10. There's an updated version available that covers our most recent release.

26-11-2015

Sanitizing Search Input

HST's SearchInputParsingUtils provide utility methods for sanitizing potentially malicious query strings by filtering out invalid characters or constraining the use of wildcards.

We recommend to always use SearchInputParsingUtils for free-text queries injected into an HstQuery.

For optimal performance, it is best to set the allowSingleNonLeadingWildCardPerTerm parameter to false:

public class MyComponent extends BaseHstComponent {  
  public void doBeforeRender(HstRequest request, HstResponse response)
                                             throws HstComponentException {
     HstRequestContext context = request.getRequestContext();
     HstQuery hstQuery = context.getQueryManager().createQuery(scope,
                                             NewsDocument.class, true);
     hstQuery.setLimit(pageSize);
     hstQuery.setOffset(pageSize * (currentPage - 1));

     // PARSE the query
     String query = request.getParameter("query");
     String parsedQuery = SearchInputParsingUtils.parse(query, false);

     if (StringUtils.isNotEmpty(parsedQuery)) {
        Filter f = hstQuery.createFilter();
        f.addContains(".", parsedQuery);
        hstQuery.setFilter(f);
     }

     HstQueryResult result = hstQuery.execute();
     request.setAttribute("result", result);
  }
}
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?