vivo-project/VIVO

Query text parameter not sanitized

gneissone opened this issue · 0 comments

gneissone commented

Describe the bug
This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.

To Reproduce
For example, try this path on any VIVO running the latest code:
{vivo url}/search?querytext=</script><script>alert("uh%20oh");</script>

Expected behavior
The arbitrary javascript passed via the URL should not be executed

Screenshots
Screenshot 2024-03-11 at 12 53 57

Environment (please complete the following information):

  • Browser: Chrome
  • Tomcat version: 9.0.78
  • VIVO version: 1.14.1-SNAPSHOT
  • Apache Solr 9.3.0

Additional context
https://github.com/vivo-project/Vitro/blob/03517df59ab02108f81f19d8ff383e20f9c556ca/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl#L55