Bug 1295998

Summary: search bar does not escape </script> tags from search inputs when producing JSON
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: web UIAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dcallagh, dowang, junichi.nomura, mjia, rjoost
Target Milestone: 22.1Keywords: Patch, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-01 04:30:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Callaghan 2016-01-06 04:01:38 UTC 
Description of problem:
Similar to bug 1215024, just a different piece of template which is not correctly escaping JSON strings embedded in templates. In this case the problem is user-supplied search strings in the search bars.

The problem exists on all grid pages which use the traditional search bar: systems, distros, distro trees, distro families, tasks, jobs, recipes, reserve report. In older Beaker versions this includes other pages too.

Version-Release number of selected component (if applicable):
21.2, but the problem dates back at least to commit 6aa9e505 (Jan 2011) and has probably existed since the search bar was first added.

How reproducible:
easily

Steps to Reproduce:
1. In the search bar's "simplesearch" field, or the value field of an advanced search, enter </script><script>alert('hi') and submit the search.

Actual results:
Alert appears, due to unescaped </script> embedded in a JSON string inside a script on the resulting page.

Expected results:
</script> closing tag should be correctly escaped inside the JSON string so that it's not interpreted as a closing tag by the browser.

Additional info:
The user controlled parameter is read from the URL query string ("reflected XSS" in OWASP parlance) which means it is possible for an attacker to construct a malicious URL containing injected JS and trick a victim into clicking it.
Comment 1 Dan Callaghan 2016-01-06 04:33:16 UTC 
http://gerrit.beaker-project.org/4566
Comment 4 Dan Callaghan 2016-02-01 04:30:57 UTC 
Beaker 22.1 has been released.