Skip to content

AOS-100: Update docs for sanitisation #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adunn49 merged 7 commits into from
Sep 4, 2025
Merged

AOS-100: Update docs for sanitisation #33

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
793b622
AOS-100: Update docs regarding the query class and the need for handl…
adunn49 Sep 1, 2025
3eed8db
AOS-100: Update docs regarding the query class and the need for handl…
adunn49 Sep 1, 2025
4ba0281
AOS-100 Add query sanitisation example
adunn49 Sep 3, 2025
f1ee946
AOS-100 Add query sanitisation example
adunn49 Sep 3, 2025
2100aa2
AOS-100 Reinstate getQuery bullet point
adunn49 Sep 4, 2025
44d3641
AOS-100 Remove additional space
adunn49 Sep 4, 2025
28c8d82
AOS-100 Remove additional quote
adunn49 Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions docs/detailed-result-handling.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,29 @@ simple methods available that you can access anywhere.
* `isSuccess()`: Simply states whether or not the search was a success, or error.
* `getRecords()`: A `PaginatedList` of `Record` objects that were returned by the search service based on your `Query`.
* `getFacets`: An `ArrayList` of `Facet` objects that were returned by the search service based on your `Query`.
* `getQuery`": The `Query` object
Comment thread
adunn49 marked this conversation as resolved.
* `getQuery`: The `Query` object containing the user entered search term. See the [Query class](#query-class) section below for safe handling of user input.

The `Results` class is also a `ViewableData` object, so these methods can be access in your template with `$isSuccess`,
`$Records`, `$Facets`, and `$Query`.
`$Records`, and `$Facets`.

## `Query` class
The `Query` class provides the original query that was used for matching results. This is available should you wish
to include `Showing results for "test"` or similar text on your results page.

**Important:** When including `$Query` in the template it should be noted that this assumes the query string is
safe and that the implementation has sanitised the user input to mitigate against cross-site scripting (xss) attacks.
The `Query` class provides the original query that was used for matching results.

> [!IMPORTANT]
> If you need to include the search term on the page (for example, `Showing results for "test"`) you will
> need to handle sanitisation of this value to mitigate against cross-site scripting (xss) attacks. The simplest
> way of doing this is to create a custom function that returns a DBText field, and the Silverstripe templating
> system will handle this for you (see example below).

````php
/**
* Wraps the raw query string in a DBText instance for safely adding $sanitisedQuery to template.
*/
public function sanitisedQuery(Query $query): DBText
{
return DBText::create()->setValue($query->getQueryString());
}
````

## `Record` class

Expand Down