From 54858898cf48679b814f70eec7e267d06322ab1c Mon Sep 17 00:00:00 2001 From: lindenmckenzie Date: Thu, 26 Jan 2023 09:10:27 +0000 Subject: [PATCH] Protect returnTo from XSS --- handlers/feedback.go | 4 +++- handlers/feedback_test.go | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/handlers/feedback.go b/handlers/feedback.go index 08f053a..23dabce 100644 --- a/handlers/feedback.go +++ b/handlers/feedback.go @@ -3,6 +3,7 @@ package handlers import ( "bytes" "fmt" + "html" "net/http" "regexp" @@ -53,7 +54,8 @@ func feedbackThanks(w http.ResponseWriter, req *http.Request, url, errorType str p.ErrorType = errorType p.PreviousURL = url - returnTo := req.URL.Query().Get("returnTo") + // returnTo is redered on page so needs XSS protection + returnTo := html.EscapeString(req.URL.Query().Get("returnTo")) if returnTo == "Whole site" { returnTo = wholeSite } else if returnTo == "" { diff --git a/handlers/feedback_test.go b/handlers/feedback_test.go index eee511a..78dfddc 100644 --- a/handlers/feedback_test.go +++ b/handlers/feedback_test.go @@ -10,6 +10,7 @@ import ( "github.com/ONSdigital/dp-frontend-feedback-controller/email/emailtest" "github.com/ONSdigital/dp-frontend-feedback-controller/interfaces/interfacestest" + "github.com/ONSdigital/dp-frontend-feedback-controller/model" "github.com/ONSdigital/dp-frontend-models/model/feedback" coreModel "github.com/ONSdigital/dp-renderer/model" @@ -283,4 +284,26 @@ func Test_feedbackThanks(t *testing.T) { }) }) }) + + Convey("Given a reflective XSS request", t, func() { + req := httptest.NewRequest("GET", "http://localhost?returnTo=", nil) + w := httptest.NewRecorder() + url := "www.test.com" + errorType := "" + + mockRenderer := &interfacestest.RendererMock{ + BuildPageFunc: func(w io.Writer, pageModel interface{}, templateName string) {}, + NewBasePageModelFunc: func() coreModel.Page { + return coreModel.Page{} + }, + } + Convey("When feedbackThanks is called", func() { + feedbackThanks(w, req, url, errorType, mockRenderer) + Convey("Then the handler sanitises the request text", func() { + dataSentToRender := mockRenderer.BuildPageCalls()[0].PageModel.(model.Feedback) + returnToUrl := dataSentToRender.Metadata.Description + So(returnToUrl, ShouldEqual, "<script>alert(1)</script>") + }) + }) + }) }