From 6355d8dff104acae0283c5e9196166c0ffa58ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sascha=20I=C3=9Fbr=C3=BCcker?= Date: Fri, 8 Dec 2023 21:53:54 +0100 Subject: [PATCH] Properly encode search query param (#587) --- bookmarks/templates/bookmarks/search.html | 2 +- .../tests/test_bookmark_archived_view.py | 28 ++++++++++++++++ bookmarks/tests/test_bookmark_index_view.py | 28 ++++++++++++++++ bookmarks/tests/test_bookmark_shared_view.py | 32 +++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/bookmarks/templates/bookmarks/search.html b/bookmarks/templates/bookmarks/search.html index 2d5008b..8663a2b 100644 --- a/bookmarks/templates/bookmarks/search.html +++ b/bookmarks/templates/bookmarks/search.html @@ -95,7 +95,7 @@ props: { name: 'q', placeholder: 'Search for words or #tags', - value: '{{ search.q|safe }}', + value: input.value, tags: uniqueTags, mode: '{{ mode }}', linkTarget: '{{ request.user_profile.bookmark_link_target }}', diff --git a/bookmarks/tests/test_bookmark_archived_view.py b/bookmarks/tests/test_bookmark_archived_view.py index c65a41b..4702b7d 100644 --- a/bookmarks/tests/test_bookmark_archived_view.py +++ b/bookmarks/tests/test_bookmark_archived_view.py @@ -422,3 +422,31 @@ class BookmarkArchivedViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin self.assertEqual(actions_form.attrs['action'], '/bookmarks/archived/action?q=%23foo&return_url=%2Fbookmarks%2Farchived%3Fq%3D%2523foo') + + def test_encode_search_params(self): + bookmark = self.setup_bookmark(description='alert(\'xss\')', is_archived=True) + + url = reverse('bookmarks:archived') + '?q=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + self.assertContains(response, bookmark.url) + + url = reverse('bookmarks:archived') + '?sort=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:archived') + '?unread=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:archived') + '?shared=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:archived') + '?user=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:archived') + '?page=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') diff --git a/bookmarks/tests/test_bookmark_index_view.py b/bookmarks/tests/test_bookmark_index_view.py index 8c99f6a..290dd37 100644 --- a/bookmarks/tests/test_bookmark_index_view.py +++ b/bookmarks/tests/test_bookmark_index_view.py @@ -418,3 +418,31 @@ class BookmarkIndexViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin): self.assertEqual(actions_form.attrs['action'], '/bookmarks/action?q=%23foo&return_url=%2Fbookmarks%3Fq%3D%2523foo') + + def test_encode_search_params(self): + bookmark = self.setup_bookmark(description='alert(\'xss\')') + + url = reverse('bookmarks:index') + '?q=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + self.assertContains(response, bookmark.url) + + url = reverse('bookmarks:index') + '?sort=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:index') + '?unread=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:index') + '?shared=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:index') + '?user=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:index') + '?page=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') diff --git a/bookmarks/tests/test_bookmark_shared_view.py b/bookmarks/tests/test_bookmark_shared_view.py index 1b3ceba..50d41e3 100644 --- a/bookmarks/tests/test_bookmark_shared_view.py +++ b/bookmarks/tests/test_bookmark_shared_view.py @@ -500,3 +500,35 @@ class BookmarkSharedViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin): self.assertEqual(actions_form.attrs['action'], '/bookmarks/shared/action?q=%23foo&return_url=%2Fbookmarks%2Fshared%3Fq%3D%2523foo') + + def test_encode_search_params(self): + self.authenticate() + user = self.get_or_create_test_user() + user.profile.enable_sharing = True + user.profile.save() + bookmark = self.setup_bookmark(description='alert(\'xss\')', shared=True) + + url = reverse('bookmarks:shared') + '?q=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + self.assertContains(response, bookmark.url) + + url = reverse('bookmarks:shared') + '?sort=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:shared') + '?unread=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:shared') + '?shared=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:shared') + '?user=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')') + + url = reverse('bookmarks:shared') + '?page=alert(%27xss%27)' + response = self.client.get(url) + self.assertNotContains(response, 'alert(\'xss\')')