Sanitize Search Input
HST's SearchInputParsingUtils provide utility methods for sanitizing potentially malicious query strings by filtering out invalid characters or constraining the use of wildcards.
We recommend to always use SearchInputParsingUtils for free-text queries injected into an HstQuery.
For optimal performance, it is best to set the parse method's allowSingleNonLeadingWildCardPerTerm parameter to false:
final HstRequestContext context = request.getRequestContext(); final HippoBean scope = context.getSiteContentBaseBean(); HstQueryBuilder hstQueryBuilder = HstQueryBuilder.create(scope) .ofTypes(BaseDocument.class); // PARSE the query String query = getPublicRequestParameter(request, "query"); String parsedQuery = SearchInputParsingUtils.parse(query, false); if (StringUtils.isNotEmpty(parsedQuery)) { hstQueryBuilder = hstQueryBuilder.where(constraint(".").contains(parsedQuery)); } final HstQuery hstQuery = hstQueryBuilder.build(); final HstQueryResult result = hstQuery.execute(); request.setAttribute("result", result);