From 843bc106a1c1b1699e9e52b6b0d01c7efe1d6225 Mon Sep 17 00:00:00 2001
From: Diego Cepeda <dcepeda@linkedin.com>
Date: Fri, 5 Feb 2021 15:30:43 -0800
Subject: [PATCH] prevent potential XSS from searchbar results (#342)

* prevent potential XSS from searchbar results

* use built in handlebars expression escaping

* use handlebars encodeURIComponent
---
 src/oncall/ui/static/js/oncall.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/oncall/ui/static/js/oncall.js b/src/oncall/ui/static/js/oncall.js
index 9189bd8d..022985e2 100644
--- a/src/oncall/ui/static/js/oncall.js
+++ b/src/oncall/ui/static/js/oncall.js
@@ -579,11 +579,11 @@ var oncall = {
               },
               footer: function(resp){
                 if (teamsCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/teams" data-navigo> See all ' + teamsCt + ' results for teams »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/teams" data-navigo> See all ' + teamsCt + ' results for teams »</a></div>';
                 }
               },
               empty: function(resp){
-                return '<h4> No results found for "' + resp.query + '" </h4>';
+                return '<h4> No results found for "' + Handlebars.escapeExpression(resp.query) + '" </h4>';
               }
             }
           },
@@ -604,7 +604,7 @@ var oncall = {
               },
               footer: function(resp){
                 if (servicesCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/services" data-navigo> See all ' + servicesCt + ' results for services »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/services" data-navigo> See all ' + servicesCt + ' results for services »</a></div>';
                 }
               }
             }
@@ -626,7 +626,7 @@ var oncall = {
               },
               footer: function(resp){
                 if (usersCt > typeaheadLimit) {
-                  return '<div class="tt-see-all"><a href="/query/' + resp.query + '/users" data-navigo> See all ' + usersCt + ' results for users »</a></div>';
+                  return '<div class="tt-see-all"><a href="/query/' + Handlebars.escapeExpression(encodeURIComponent(resp.query)) + '/users" data-navigo> See all ' + usersCt + ' results for users »</a></div>';
                 }
               }
             }