mirror of
https://github.com/netbox-community/netbox.git
synced 2026-01-09 21:32:17 -06:00
Fixes #20009: Fix DOM-based XSS vulnerability in search export functionality
Replace direct string concatenation with URLSearchParams to properly encode user input in export link URLs, preventing injection of malicious parameters or scripts through the search functionality. Resolves CodeQL Alert #63 (js/xss-through-dom)
This commit is contained in:
Jason Novinger
2
netbox/project-static/dist/netbox.js
vendored
2
netbox/project-static/dist/netbox.js
vendored
File diff suppressed because one or more lines are too long
6
netbox/project-static/dist/netbox.js.map
vendored
6
netbox/project-static/dist/netbox.js.map
vendored
File diff suppressed because one or more lines are too long
@@ -38,7 +38,9 @@ function handleQuickSearchParams(event: Event): void {
|
||||
|
||||
if (quickSearchParameters != null) {
|
||||
const link = document.getElementById('export_current_view') as HTMLLinkElement;
|
||||
const search_parameter = `q=${quickSearchParameters.value}`;
|
||||
const params = new URLSearchParams();
|
||||
params.set('q', quickSearchParameters.value);
|
||||
const search_parameter = params.toString();
|
||||
const linkUpdated = link?.href + '&' + search_parameter;
|
||||
link.setAttribute('href', linkUpdated);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user