Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2018-06-10 13:35:27

kuopassa
Plugin Author
From: Porvoo, Finland
Registered: 2008-12-03
Posts: 191
Website

kuo_disable_search: deny access to Textpattern's front-side search

This is very basic plugin that does only this: prevents users from making search queries with the default Textpattern front-side search engine.

Why should you install this plugin? If your articles contain for example Textpattern tags, or PHP code, which are not meant to be shown publicly, and your Textpattern theme shows excerpts of found search results, then those search results can reveal sensitive data. I’ve informed TXP developers about this problem, but haven’t yet received a reply. :-/

Offline

#2 2018-06-10 17:12:57

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,317
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

Although I’m sure that this plugin will be of use, couldn’t that sensitive information go into a section which is not syndicated or searchable?


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

#3 2018-06-10 17:45:27

kuopassa
Plugin Author
From: Porvoo, Finland
Registered: 2008-12-03
Posts: 191
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

That could be a better solution than this one, but consider for example a scenario where <txp:hide>this super secret thing is not hidden from search results</txp:hide>. ;-)

Offline

#4 2018-06-11 07:13:35

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 1,691
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

This is not a new issue with TXP 4.7, right? I could reproduce the same problem with TXP 4.6.2.

But I can imagine this could be a problem if you insert the supersecret thing in an article, or even simply if you hide some part of an article with an HTML comment.

Offline

#5 2018-06-11 07:47:09

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,317
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

Bug confirmed. Content wrapped in txp:hide does indeed appear in search results. Did you report the issue on github?


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

#6 2018-06-11 13:36:55

etc
Developer
Registered: 2010-11-11
Posts: 3,267
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

colak wrote #312503:

Bug confirmed. Content wrapped in txp:hide does indeed appear in search results. Did you report the issue on github?

Hi Yiannis, it’s not a bug neither feature, just technology. For best search performance, we use db indexes. The searchable fields (body, excerpt, …) are indexed on article save without any tag parsing, which would be unreliable anyway (think of if_logged_in). And parsing on each search would be too expensive. So it goes.

A globally sane approach is avoid tags/code in article content. Just write :-)

Edit: though we could strip txp tags from search result excerpts more thoroughly, will think of it.


etc_[ query | search | pagination | date | tree | cache ]

Offline

#7 2018-06-11 14:07:10

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,317
Website

Re: kuo_disable_search: deny access to Textpattern's front-side search

etc wrote #312510:

Edit: though we could strip txp tags from search result excerpts more thoroughly, will think of it.

Hmmm that would possibly be a problem too as shorttags offer a wonderfully easy way to include searchable captions in figures.

>Edit: @kuopassa. Would adi_notes be able to do what you are looking for? I am by no way against your plugin… I’m just trying to think of softer ways you can bypass this issue.

Last edited by colak (2018-06-11 14:10:59)


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

Board footer

Powered by FluxBB