XSS Vulnerability when using filter options

[Krazian]

This issue happens for all cities that use your product. Within the /search view, you can use the filter parameters to run Javascript code in an HTML script tag. See the following for an example:

• https://laws.council.nyc.gov/search/?q=&selected_facets=sponsorships_exact%3A%3Cscript%3Ealert(%22Inserted%20Javascript%22)%3C/script%3E
• https://boardagendas.metro.net/search/?q=&search-all=on&selected_facets=phase_exact%3A%3Cscript%3Ealert(%22Inserted%20Javascript%22)%3C/script%3E
• https://chicago.councilmatic.org/search/?q=&selected_facets=bill_type_exact%3A%3Cscript%3Ealert(%22Inserted%20Javascript%22)%3C/script%3E

I attempted to do the same on http://philly.councilmatic.org/, but it ended up breaking and showing a Heroku error.

[jeancochrane]

Thanks very much for reporting this vulnerability. We've got a fix open in https://github.com/datamade/django-councilmatic/pull/271 and will update this issue as soon as we've patched production systems.

[jeancochrane]

We released 2.5.9 to fix this bug. The fix is currently being rolled out to LA Metro, and we're working on logistics to do it for Chicago and New York as well.