Fixing XSS on search query. Thanks to @reybango for discovering and disclosing this vulnerability.

2025-08-31 21:41:33 +00:00 · 2018-01-18 15:27:18 -08:00 · 2018-01-18 15:27:18 -08:00 · e8f2ba924c
commit e8f2ba924c
parent 94114595a6
3 changed files with 16 additions and 7 deletions
--- a/media/js/newsblur/common/router.js
+++ b/media/js/newsblur/common/router.js
@ -32,7 +32,7 @@ NEWSBLUR.Router = Backbone.Router.extend({
        // NEWSBLUR.log(["site", site_id, slug]);
        site_id = parseInt(site_id, 10);
        var feed = NEWSBLUR.assets.get_feed(site_id);
-        var query = $.getQueryString('search');
+        var query = this.extract_query();
        if (query) {
            NEWSBLUR.reader.flags.searching = true;
            NEWSBLUR.reader.flags.search = query;
@ -55,7 +55,7 @@ NEWSBLUR.Router = Backbone.Router.extend({
        var options = {
            router: true
        };
-        var query = $.getQueryString('search');
+        var query = this.extract_query();
        if (query) {
            NEWSBLUR.reader.flags.searching = true;
            NEWSBLUR.reader.flags.search = query;
@ -70,7 +70,7 @@ NEWSBLUR.Router = Backbone.Router.extend({
            router: true,
            tag: tag
        };
-        var query = $.getQueryString('search');
+        var query = this.extract_query();
        if (query) {
            NEWSBLUR.reader.flags.searching = true;
            NEWSBLUR.reader.flags.search = query;
@ -84,7 +84,7 @@ NEWSBLUR.Router = Backbone.Router.extend({
        folder_name = folder_name.replace(/-/g, ' ');
        // NEWSBLUR.log(["folder", folder_name]);
        var options = {router: true};
-        var query = $.getQueryString('search');
+        var query = this.extract_query();
        if (query) {
            NEWSBLUR.reader.flags.searching = true;
            NEWSBLUR.reader.flags.search = query;
@ -111,7 +111,7 @@ NEWSBLUR.Router = Backbone.Router.extend({
    
    social: function(user_id, slug) {
        NEWSBLUR.log(["router:social", user_id, slug]);
-        var query = $.getQueryString('search');
+        var query = this.extract_query();
        if (query) {
            NEWSBLUR.reader.flags.searching = true;
            NEWSBLUR.reader.flags.search = query;
@ -134,6 +134,15 @@ NEWSBLUR.Router = Backbone.Router.extend({
        }
    },
    
+    extract_query: function() {
+        var search = $.getQueryString('search');
+        var sanitized = search.replace(/[^\w\s]+/g, " ");
+        
+        // console.log('extract_query', search, sanitized);
+        
+        return sanitized;
+    },
+    
    user: function(user) {
        NEWSBLUR.log(["user", user]);
    }
--- a/media/js/newsblur/views/feed_search_view.js
+++ b/media/js/newsblur/views/feed_search_view.js
@ -176,7 +176,7 @@ NEWSBLUR.Views.FeedSearchView = Backbone.View.extend({
    
    search: function() {
        var $search = this.$("input[name=feed_search]");
-        var query = $search.val();
+        var query = _.escape($search.val());
        
        if (query != NEWSBLUR.reader.flags.search) {
            NEWSBLUR.reader.flags.searching = true;
--- a/media/js/vendor/jquery.newsblur.js
+++ b/media/js/vendor/jquery.newsblur.js
@ -441,7 +441,7 @@ NEWSBLUR.log = function(msg) {

            while (e = r.exec(q))
                params[d(e[1])] = d(e[2]);
-            // console.log(['get query string', name, params, params[name]]);
+
            return params[name];
        },