prevent potential XSS from searchbar results (#342)

* prevent potential XSS from searchbar results * use built in handlebars expression escaping * use handlebars encodeURIComponent
linkedin · Feb 5, 2021 · 843bc10 · 843bc10
1 parent 605d10e
commit 843bc10
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/oncall/ui/static/js/oncall.js b/src/oncall/ui/static/js/oncall.js
@@ -579,11 +579,11 @@ var oncall = {
               },
               footer: function(resp){
                 if (teamsCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/teams" data-navigo> See all ' + teamsCt + ' results for teams »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/teams" data-navigo> See all ' + teamsCt + ' results for teams »</a></div>';
                 }
               },
               empty: function(resp){
-                return '<h4> No results found for "' + resp.query + '" </h4>';
+                return '<h4> No results found for "' + Handlebars.escapeExpression(resp.query) + '" </h4>';
               }
             }
           },
@@ -604,7 +604,7 @@ var oncall = {
               },
               footer: function(resp){
                 if (servicesCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/services" data-navigo> See all ' + servicesCt + ' results for services »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/services" data-navigo> See all ' + servicesCt + ' results for services »</a></div>';
                 }
               }
             }
@@ -626,7 +626,7 @@ var oncall = {
               },
               footer: function(resp){
                 if (usersCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/users" data-navigo> See all ' + usersCt + ' results for users »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/users" data-navigo> See all ' + usersCt + ' results for users »</a></div>';
                 }
               }
             }