sanitise XSS attempt to referrer

ONSdigital · Jul 24, 2024 · e27d582 · e27d582
1 parent b373e11
commit e27d582
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/handlers/feedback_test.go b/handlers/feedback_test.go
@@ -303,7 +303,7 @@ func Test_feedbackThanks(t *testing.T) {
 	Convey("Given a reflective XSS request", t, func() {
 		req := httptest.NewRequest("GET", "http://localhost?returnTo=<script>alert(1)</script>", nil)
 		w := httptest.NewRecorder()
-		url := "www.test.com"
+		url := "https://www.referrer-test.com"
 		mockRenderer := &interfacestest.RendererMock{
 			BuildPageFunc: func(w io.Writer, pageModel interface{}, templateName string) {},
 			NewBasePageModelFunc: func() coreModel.Page {
@@ -325,10 +325,10 @@ func Test_feedbackThanks(t *testing.T) {
 			}}
 		Convey("When feedbackThanks is called", func() {
 			feedbackThanks(w, req, url, mockRenderer, mockNagivationCache, lang, siteDomain, false)
-			Convey("Then the handler sanitises the request text", func() {
+			Convey("Then the handler sanitises the request text to the referrer", func() {
 				dataSentToRender := mockRenderer.BuildPageCalls()[0].PageModel.(model.Feedback)
 				returnToUrl := dataSentToRender.ReturnTo
-				So(returnToUrl, ShouldEqual, "&lt;script&gt;alert(1)&lt;/script&gt;")
+				So(returnToUrl, ShouldEqual, url)
 			})
 		})
 	})

diff --git a/mapper/mapper.go b/mapper/mapper.go
@@ -200,6 +200,9 @@ func CreateGetFeedbackThanks(req *http.Request, basePage core.Page, lang, referr
 	p := model.Feedback{
 		Page: basePage,
 	}
+	if referrer == "" {
+		referrer = wholeSite
+	}
 
 	p.Language = lang
 	p.Type = "feedback"