Can't match string containing a quote

Open on Drupal.org →

Created on 3 October 2024, 3 months ago

Problem/Motivation

It looks like 🐛 XSS vulnerability in facet results Fixed broke matching on strings containing a quote.

Steps to reproduce

Have a facet result with a label l'infini.
Type l: it finds it.
Type l': it does not find it.

It seems to be because it tries comparing l' and l'.

Proposed resolution

I see 2 ways to fix this:

Stop escaping the labels in drupalSettings and instead rework the JS to stop using innerHTML and use safe DOM methods instead.
Unescape the entities before matching the string.

🐛 Bug report

Status

Active

Version

2.2

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!11Can't match string containing a quote
Open
🇫🇷France prudloff
updated 3 months ago

Comments & Activities

Issue created by @prudloff
Comment 3 months ago →
🇫🇷France prudloff Lille
Merge request !11Fix 3427028 without having to encode labels → (Open) created by prudloff
Comment 3 months ago →
🇫🇷France prudloff Lille
Turns out there is no built-in way to encode/decode HTML entities in JS so you have to use a library like he.

So instead I reworked the fix to 🐛 XSS vulnerability in facet results Fixed so we don't have to encode HTML entities in drupalSettings.
It builds the HTML with DOM methods so XSS protection is handled by the DOM API.
Comment 3 months ago →
🇫🇷France prudloff Lille
Pipeline finished with Success
3 months ago
Total: 252s
#299998

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024