The autocomplete route/endpoint has XSS vulnerabilities

Created on 30 October 2024, 16 days ago

Problem/Motivation

I'm using the autocomplete (with Solr Terms) route as endpoint in a decoupled architecture. The query parameter allows HTML as input, so if I would inject some HTML in my query but end it with a word that has suggestions, it will also return the user input with HTML in the response.

Steps to reproduce

Index some nodes with text that will give suggestion back e.g: insert numbers starting with 12.
Enable and configure "Solr Terms" in autocomplete.
Perform request with HTML, e.g: /search_api_autocomplete/<search_api_autocomplete_search>?q=test<img%20src%3D0%20onerror%3Dalert(document.cookie)>%2012

The response is giving the user input HTML back.

[
{
"value": "test<img src=0 onerror=alert(document.cookie)> 12",
"label": "\n<div class=\"search-api-autocomplete-suggestion\">\n      <span class=\"autocomplete-suggestion-user-input\">test&lt;img src=0 onerror=alert(document.cookie)&gt; 12</span>  </div>\n"
},
{
"value": "test<img src=0 onerror=alert(document.cookie)> 120",
"label": "\n<div class=\"search-api-autocomplete-suggestion\">\n      <span class=\"autocomplete-suggestion-user-input\">test&lt;img src=0 onerror=alert(document.cookie)&gt; 12</span>  </div>\n"
},
{
"value": "test<img src=0 onerror=alert(document.cookie)> 125",
"label": "\n<div class=\"search-api-autocomplete-suggestion\">\n      <span class=\"autocomplete-suggestion-user-input\">test&lt;img src=0 onerror=alert(document.cookie)&gt; 12</span><span class=\"autocomplete-suggestion-suggestion-suffix\">5</span>  </div>\n"
}
]

Proposed resolution

Filter out the HTML on the autocomplete query parameter.

🐛 Bug report

Status

Active

Version

1.0

Component

General code

Created by

🇳🇱Netherlands bojan_dev

Live updates comments and jobs are added and updated live.

Merge Requests

!31The autocomplete route/endpoint has XSS vulnerabilities
Open
🇳🇱Netherlands bojan_dev
updated 16 days ago

Comments & Activities

Issue created by @bojan_dev
Comment 16 days ago →
🇳🇱Netherlands bojan_dev
bojan_dev → changed the visibility of the branch 3484623-the-autocomplete-routeendpoint to hidden.
Merge request !31Issue #3484623: Add XSS filter on query user input → (Open) created by bojan_dev
Pipeline finished with Success
16 days ago
Total: 171s
#325094
Comment 16 days ago →
🇳🇱Netherlands bojan_dev
Comment 6 days ago →
🇺🇸United States greggles Denver, Colorado, USA
Comment 5 days ago →
🇦🇹Austria drunken monkey Vienna, Austria
Discussed privately and concluded that this is just a matter of documenting that the value key is not HTML, so shouldn’t be used as such by custom frontend code.

@bojan_dev: Where would you say is the best place to add this clarification, where do we have the highest chance of reaching frontend developers?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024