Fix HTML injection in search results summary

In commit f374478dd, we enabled the possibility to use HTML in the search results translations in order to add a <strong> tag to these results. However, that meant we were also allowing HTML tags inside the search term itself, and so it was possible to inject HTML on the page. Stripping the HTML tags solves the issue. Note the issue wasn't a high severity issue because tags such as `<script>` weren't allowed since we were using the `sanitize` helper.
2022-04-09 02:07:05 +02:00
parent 5c0aa42351
commit 015613a140
3 changed files with 44 additions and 4 deletions
--- a/app/components/shared/search_results_summary_component.rb
+++ b/app/components/shared/search_results_summary_component.rb
@@ -10,6 +10,10 @@ class Shared::SearchResultsSummaryComponent < ApplicationComponent
  private

    def summary
-      sanitize(t("proposals.index.search_results", count: results.size, search_term: search_terms))
+      sanitize(t(
+        "proposals.index.search_results",
+        count: results.size,
+        search_term: strip_tags(search_terms)
+      ))
    end
 end
--- a/app/views/management/proposals/index.html.erb
+++ b/app/views/management/proposals/index.html.erb
@@ -10,9 +10,9 @@
        <% if @search_terms %>
          <h3>
            <%= page_entries_info @proposals %>
-            <%= sanitize(
-              t("proposals.index.search_results", count: @proposals.size, search_term: @search_terms)
-            ) %>
+            <%= sanitize(t("proposals.index.search_results",
+                           count: @proposals.size,
+                           search_term: strip_tags(@search_terms))) %>
          </h3>
        <% end %>

--- a/spec/system/html_injection_spec.rb
+++ b/spec/system/html_injection_spec.rb
@@ -0,0 +1,36 @@
+require "rails_helper"
+
+describe "HTML injection protection" do
+  let(:attack_code) { "<a href='/evil'>Click me</a>" }
+
+  scenario "debates search" do
+    visit debates_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "investments search" do
+    visit budget_investments_path(budget_id: create(:budget), search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "proposals search" do
+    visit proposals_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "proposals search in the management area" do
+    login_managed_user(create(:user, :level_two))
+    login_as_manager
+
+    visit management_proposals_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+end