External/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-12-17 09:45:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixes #20009: Fix DOM-based XSS vulnerability in search export functionality

Browse Source 
Replace direct string concatenation with URLSearchParams to properly
encode user input in export link URLs, preventing injection of malicious
parameters or scripts through the search functionality.

Resolves CodeQL Alert #63 (js/xss-through-dom)
This commit is contained in:
Jason Novinger 2025-08-01 15:14:09 -05:00 committed by Jeremy Stretch
parent bb83187505
commit 2c09973e01
3 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
netbox/project-static/dist/netbox.js vendored
View File

File diff suppressed because one or more lines are too long

6
netbox/project-static/dist/netbox.js.map vendored
View File

File diff suppressed because one or more lines are too long

4
netbox/project-static/src/search.ts
View File

@ -38,7 +38,9 @@ function handleQuickSearchParams(event: Event): void {
if (quickSearchParameters != null) { if (quickSearchParameters != null) {
const link = document.getElementById('export_current_view') as HTMLLinkElement; const link = document.getElementById('export_current_view') as HTMLLinkElement;
const search_parameter = `q=${quickSearchParameters.value}`; const params = new URLSearchParams();
params.set('q', quickSearchParameters.value);
const search_parameter = params.toString();
const linkUpdated = link?.href + '&' + search_parameter; const linkUpdated = link?.href + '&' + search_parameter;
link.setAttribute('href', linkUpdated); link.setAttribute('href', linkUpdated);
} }