XSS vulnerability in search filters

[kltm]

It is currently possible to inject disrupting code into the search filters that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:

https://amigo­-staging.geneontology.io/amigo/search/annotation?q=*:*&fq='%22­­%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x007768)%3C/scRipt%3E&sfq=document_category:%22annotation%22 https://amigo­staging.geneontology.io/amigo/search/bioentity?q=*:*&fq='%22­­%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x005086)%3C/scRipt%3E&sfq=document_category:%22bioentity%22 https://amigo­-staging.geneontology.io/gannet?mirror=amigo_2_local_default&query=%3c%2ftextarea%3e%3cscRipt%3enetsparker(0x0067DA)%3c%2fscRipt%3e

Fixing would be better serialization on variable rendering.

[kltm]

More examples:

http://noctua-amigo.berkeleybop.org/amigo/search/annotation?q=*:*&fq=regulates_closure%3a%22GO%3a1905213%22j0dhp%3c%2fscript%3e%3cscript%3ealert('should-not-be-seen')%3c%2fscript%3eqgeih&sfq=document_category:%22annotation%22

http://noctua-amigo.berkeleybop.org/amigo/search/bioentity?q=*:*&fq=regulates_closure%3a%22GO%3a1905212%22v6ft7%3c%2fscript%3e%3cscript%3ealert('should-not-be-seen')%3c%2fscript%3esbdnb&sfq=document_category:%22bioentity%22

http://amigo-staging.geneontology.io/amigo/search/bioentity?q=*:*&fq=regulates_closure%3a%22GO%3a1905212%22v6ft7%3c%2fscript%3e%3cscript%3ealert('should-not-be-seen')%3c%2fscript%3esbdnb&sfq=document_category:%22bioentity%22

[kltm]

New problematic examples:

• [x] http://amigo-exp.geneontology.io/amigo/search/bioentity?q=*:*&sfq=%3C/script%3E%3Csvg/onload=alert(document.domain)%3Edocument_category:%22quas%3Ch1%3Etest%22
  cleared with code update
• [ ] http://amigo-exp.geneontology.io/amigo/reference?ref_id=PMID:666666%22%3E%3Csvg/onload=alert(document.domain)%3E moved to https://github.com/geneontology/amigo/issues/608