NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-08-28 10:16:10 -06:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fixes #20009: Fix DOM-based XSS vulnerability in search export functionality

Browse Source 
Replace direct string concatenation with URLSearchParams to properly
encode user input in export link URLs, preventing injection of malicious
parameters or scripts through the search functionality.

Resolves CodeQL Alert #63 (js/xss-through-dom)
This commit is contained in:
Jason Novinger 2025-08-01 15:14:09 -05:00 committed by Jeremy Stretch
parent bb83187505
commit 2c09973e01
3 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
netbox/project-static/dist/netbox.js vendored
View File

Binary file not shown.

BIN
netbox/project-static/dist/netbox.js.map vendored
View File

Binary file not shown.

4
netbox/project-static/src/search.ts
View File

@ -38,7 +38,9 @@ function handleQuickSearchParams(event: Event): void {
if (quickSearchParameters != null) { if (quickSearchParameters != null) {
const link = document.getElementById('export_current_view') as HTMLLinkElement; const link = document.getElementById('export_current_view') as HTMLLinkElement;
const search_parameter = `q=${quickSearchParameters.value}`; const params = new URLSearchParams();
params.set('q', quickSearchParameters.value);
const search_parameter = params.toString();
const linkUpdated = link?.href + '&' + search_parameter; const linkUpdated = link?.href + '&' + search_parameter;
link.setAttribute('href', linkUpdated); link.setAttribute('href', linkUpdated);
} }