Patch - SR-376 - Sanitize all the user input data (#9)

ServiceCanada · Jul 15, 2024 · ca129bb · ca129bb
1 parent 049757e
commit ca129bb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 14 deletions.
diff --git a/.eslintrc.json b/.eslintrc.json
@@ -13,6 +13,7 @@
     "jquery": true
   },
   "globals": {
+    "DOMPurify": "readonly",
     "JSON": true
   },
   "rules": {

diff --git a/src/connector.js b/src/connector.js
@@ -94,7 +94,7 @@ let pagerContainerTemplateHTML = document.getElementById( 'sr-pager-container' )
 
 // Init parameters and UI
 function initSearchUI() {
-	if( !baseElement ) {
+	if( !baseElement || !DOMPurify ) {
 		return;
 	}
 
@@ -128,12 +128,12 @@ function initSearchUI() {
 		// Ignore linting errors in regard to affectation instead of condition in the loops
 		// jshint -W084
 		while ( match = search.exec( query ) ) {	// eslint-disable-line no-cond-assign
-			urlParams[ decode(match[ 1 ] ) ] = decode( match[ 2 ] );
+			urlParams[ decode(match[ 1 ] ) ] = DOMPurify.sanitize( decode( match[ 2 ] ) );
 		}
 		query = window.location.hash.substring( 1 );
 
 		while ( match = search.exec( query ) ) {	// eslint-disable-line no-cond-assign
-			hashParams[ decode( match[ 1 ] ) ] = decode( match[ 2 ] );
+			hashParams[ decode( match[ 1 ] ) ] = DOMPurify.sanitize( decode( match[ 2 ] ) );
 		}
 		// jshint +W084
 	};
@@ -611,20 +611,19 @@ function initEngine() {
 	}
 
 	if ( hashParams.q && searchBoxElement ) {
-		searchBoxElement.value = hashParams.q;
+		searchBoxElement.value = DOMPurify.sanitize( hashParams.q );
 	}
 	else if ( urlParams.q && searchBoxElement ) {
-		searchBoxElement.value = urlParams.q;
+		searchBoxElement.value = DOMPurify.sanitize( urlParams.q );
 	}
 
 	// Get the query portion of the URL
 	const fragment = () => {
-		const hash = window.location.hash.slice( 1 );
-		if (!statusController.state.firstSearchExecuted && !hashParams.q ) {
-			return window.location.search.slice( 1 ).replaceAll( '+', ' ' ); // use query string if hash is empty
+		if ( !statusController.state.firstSearchExecuted && !hashParams.q ) {
+			return buildCleanQueryString( urlParams );
 		}
 
-		return hash;
+		return buildCleanQueryString( hashParams );
 	};
 
 	urlManager = buildUrlManager( headlessEngine, {
@@ -689,7 +688,7 @@ function initEngine() {
 			lastCharKeyUp = e.keyCode;
 
 			if( e.keyCode !== 13 && searchBoxController.state.value !== e.target.value ) {
-				searchBoxController.updateText( e.target.value );
+				searchBoxController.updateText( DOMPurify.sanitize( e.target.value ) );
 			}
 		};
 		searchBoxElement.onfocus = () => {
@@ -710,7 +709,7 @@ function initEngine() {
 			if ( searchBoxElement && searchBoxElement.value ) {
 				// Make sure we have the latest value in the search box state
 				if( searchBoxController.state.value !== searchBoxElement.value ) {
-					searchBoxController.updateText( searchBoxElement.value );
+					searchBoxController.updateText( DOMPurify.sanitize( searchBoxElement.value ) );
 				}
 				searchBoxController.submit();
 			}
@@ -730,7 +729,7 @@ function updateSearchBoxState( newState ) {
 	searchBoxState = newState;
 
 	if ( updateSearchBoxFromState && searchBoxElement && searchBoxElement.value !== newState.value ) {
-		searchBoxElement.value = newState.value;
+		searchBoxElement.value = DOMPurify.sanitize( newState.value );
 		updateSearchBoxFromState = false;
 		return;
 	}
@@ -751,7 +750,7 @@ function updateSearchBoxState( newState ) {
 			node.setAttribute( "class", "suggestion-item" );
 			node.onclick = ( e ) => { 
 				searchBoxController.selectSuggestion(e.currentTarget.innerText);
-				searchBoxElement.value = e.currentTarget.innerText;
+				searchBoxElement.value = DOMPurify.sanitize( e.currentTarget.innerText );
 			};
 			node.innerHTML = suggestion.highlightedValue;
 			suggestionsElement.appendChild( node );
@@ -763,6 +762,22 @@ function updateSearchBoxState( newState ) {
 	}
 }
 
+// rebuild a clean query string out of a JSON object
+function buildCleanQueryString( paramsObject ) {
+	let urlParam = "";
+	for ( var prop in paramsObject ) {
+		if ( paramsObject[ prop ] ) {
+			if ( urlParam !== "" ) {
+				urlParam += "&";
+			}
+
+			urlParam += prop + "=" + DOMPurify.sanitize( paramsObject[ prop ].replaceAll( '+', ' ' ) );
+		}	
+	}
+
+	return urlParam;
+}
+
 // Filters out dangerous URIs that can create XSS attacks such as `javascript:`.
 function filterProtocol( uri ) {
 
@@ -884,7 +899,7 @@ function updateQuerySummaryState( newState ) {
 
 			querySummaryElement.innerHTML = ( ( querySummaryState.query !== "" && !params.isAdvancedSearch ) ? querySummaryTemplateHTML : noQuerySummaryTemplateHTML )
 				.replace( '%[numberOfResults]', numberOfResults )
-				.replace( '%[query]', querySummaryState.query )
+				.replace( '%[query]', DOMPurify.sanitize( querySummaryState.query ) )
 				.replace( '%[queryDurationInSeconds]', querySummaryState.durationInSeconds.toLocaleString( params.lang ) );
 		}
 		else {