From 2c09973e01dc5d4baa91c965a8a4cd3d3f63b92e Mon Sep 17 00:00:00 2001
From: Jason Novinger <jnovinger@gmail.com>
Date: Fri, 1 Aug 2025 15:14:09 -0500
Subject: [PATCH] Fixes #20009: Fix DOM-based XSS vulnerability in search
 export functionality

Replace direct string concatenation with URLSearchParams to properly
encode user input in export link URLs, preventing injection of malicious
parameters or scripts through the search functionality.

Resolves CodeQL Alert #63 (js/xss-through-dom)
---
 netbox/project-static/dist/netbox.js     | Bin 382549 -> 382592 bytes
 netbox/project-static/dist/netbox.js.map | Bin 1734998 -> 1735136 bytes
 netbox/project-static/src/search.ts      |   4 +++-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/netbox/project-static/dist/netbox.js b/netbox/project-static/dist/netbox.js
index 7572150d4a6efa855f939ab1f78d159ee4acc9b2..dc0b0ed23116b7774beb8530d2a7b461af51295d 100644
GIT binary patch
delta 126
zcmcb*M!aFIctZ<g3)2>6CHu&{)N+N;AfMpW#G>SkfW)H2++yoYz2ejo4W&XQom9QD
z#GKMpP3xT05``k$Oudr);F6-uymSpsoqSu35?kB6(wrRovi!^x1p})Ry^NyNG)-+K
cH6`t$=>hi4;*9z28TQOT%(6Yhp7rfC0L$wtKmY&$

delta 77
zcmZozD}Hs2ctZ<g3)2>6C3}H{LR*#URK2pqoYK_V1f8PkvG&Zel9|>edc~<FjwK~U
fnMtK3sTxWdMX6~@Iz{c1?U{j?W&31%*0<9DAmtmA

diff --git a/netbox/project-static/dist/netbox.js.map b/netbox/project-static/dist/netbox.js.map
index b794d3ce5005d23f632d5333e39541eb2ba48384..94d189c5b41df294352a2bc1cb7729da17129c81 100644
GIT binary patch
delta 381
zcmcciDf7YS%!U@m7N!>F7M2#)7Pc1l7LFFqEnKqK*a{Mh5_5~E|83!t6;x1w@brpP
zOElCA)pe%xUF8yE*DFiRDNWU!E^v)YK@6&*BtN*MC^IizL(@7YPeEZi{}nEU_VR07
zK+FxqJV49~#C$-^55xjMEC|FxKr9TzBHPQaiQb>@8?58$=;*1F?&Rp4=j5p4>gebX
z5djK&yMXw`PCDK|HjwFT><p6gbp;9MI)P>Vb%GrogF%vc&K}bX%ES~nz)H)UeWvd&
z6_b;9cGGco^oA(&25B#M0tz^nK#U68ezi=Di;*#O`h#*YZN{kSJQZT{jEU2AD#R2d
zl0f!E>LfclCPxDGIQoLD$#4#to>C#E%W3WkF*Lk=R)rW4ivzL5_E{B@%Qv!u!)UvW
ImXwq~053>?CjbBd

delta 261
zcmaFxIrG}5%!U@m7N!>F7M2#)7Pc1l7LFFqEnKqKrdMC%5@t;(v{k8|&VQ9lltZs9
zF{d=OHlcm~H7+3L24Wr{<^^ItAm#^R0U#CxVj&<F24a!z^RJ1rERf1|((!h5^mfs4
zb#yF-uyx!Wo%3AWrhh0CQ{eCfN;sD}drg-p7t<2<)bVt5EO*jzc62Ur2C;oZwuhFB
zaWOImPfw^2(`JmA-cuna&lov<O@)|(L=?!>NS$Oy$K-IJ9!Fo0VHwUr)1Op`>2eyo
h`s)NcItGWfOI3;iu{aP*Y?rE(T)uJpX)P&He*jmQTc-d3

diff --git a/netbox/project-static/src/search.ts b/netbox/project-static/src/search.ts
index 1295527cf..827986928 100644
--- a/netbox/project-static/src/search.ts
+++ b/netbox/project-static/src/search.ts
@@ -38,7 +38,9 @@ function handleQuickSearchParams(event: Event): void {
 
   if (quickSearchParameters != null) {
     const link = document.getElementById('export_current_view') as HTMLLinkElement;
-    const search_parameter = `q=${quickSearchParameters.value}`;
+    const params = new URLSearchParams();
+    params.set('q', quickSearchParameters.value);
+    const search_parameter = params.toString();
     const linkUpdated = link?.href + '&' + search_parameter;
     link.setAttribute('href', linkUpdated);
   }