Skip to content

Commit

Permalink
Protect returnTo from XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
lindenmckenzie committed Jan 26, 2023
1 parent 4014cf5 commit 5485889
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
4 changes: 3 additions & 1 deletion handlers/feedback.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package handlers
import (
"bytes"
"fmt"
"html"
"net/http"
"regexp"

Expand Down Expand Up @@ -53,7 +54,8 @@ func feedbackThanks(w http.ResponseWriter, req *http.Request, url, errorType str
p.ErrorType = errorType
p.PreviousURL = url

returnTo := req.URL.Query().Get("returnTo")
// returnTo is redered on page so needs XSS protection
returnTo := html.EscapeString(req.URL.Query().Get("returnTo"))
if returnTo == "Whole site" {
returnTo = wholeSite
} else if returnTo == "" {
Expand Down
23 changes: 23 additions & 0 deletions handlers/feedback_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

"github.com/ONSdigital/dp-frontend-feedback-controller/email/emailtest"
"github.com/ONSdigital/dp-frontend-feedback-controller/interfaces/interfacestest"
"github.com/ONSdigital/dp-frontend-feedback-controller/model"
"github.com/ONSdigital/dp-frontend-models/model/feedback"
coreModel "github.com/ONSdigital/dp-renderer/model"

Expand Down Expand Up @@ -283,4 +284,26 @@ func Test_feedbackThanks(t *testing.T) {
})
})
})

Convey("Given a reflective XSS request", t, func() {
req := httptest.NewRequest("GET", "http://localhost?returnTo=<script>alert(1)</script>", nil)
w := httptest.NewRecorder()
url := "www.test.com"
errorType := ""

mockRenderer := &interfacestest.RendererMock{
BuildPageFunc: func(w io.Writer, pageModel interface{}, templateName string) {},
NewBasePageModelFunc: func() coreModel.Page {
return coreModel.Page{}
},
}
Convey("When feedbackThanks is called", func() {
feedbackThanks(w, req, url, errorType, mockRenderer)
Convey("Then the handler sanitises the request text", func() {
dataSentToRender := mockRenderer.BuildPageCalls()[0].PageModel.(model.Feedback)
returnToUrl := dataSentToRender.Metadata.Description
So(returnToUrl, ShouldEqual, "&lt;script&gt;alert(1)&lt;/script&gt;")
})
})
})
}

0 comments on commit 5485889

Please sign in to comment.