Description of problem: The search bar code for emitting the "search object" onto the page (JS object defining all possible search fields, operations, and values) does not correctly escape </script> tags appearing in string literals. If the admin defines a key type or arch containing </script>... it will appear unescaped in the page. Basically a dupe of bug 1209736 because the search bar code is not using tg.to_json like everything else. Version-Release number of selected component (if applicable): affects all Beaker versions since 2011 or earlier How reproducible: with admin access Steps to Reproduce: 1. As an admin, add a key type: <script>alert('xss')</script> 2. Go to the systems page Actual results: 'xss' alert appears. </script> is unescaped inside the JS string literal. Expected results: </script> is escaped correctly.
Created attachment 1020004 [details] proposed patch
Verified this issue. The result is PASS. Version: Beaker 20.1.git.5.24dc482
Beaker 20.1 has been released.