XSS vulnerability in Gannet

[kltm]

It is currently possible to inject disrupting code into Gannet parameters that could be used to create an XSS attack for users on bad links. For example, the following URL illustrates this:

https://amigo-staging.geneontology.io/gannet?mirror=amigo_2_local_default&query=%3c%2ftextarea%3e%3cscRipt%3enetsparker(0x0067DA)%3c%2fscRipt%3e

Similar to https://github.com/geneontology/amigo/issues/575

[kltm]

Similarly: http://noctua-amigo.berkeleybop.org/gannet?query=%3C/textarea%3E%3Ca%20href=%22http://www.google.com%22%3E%3Ch1%3Eshould-not-be-seen%3C/h1%3E%3C/a

[kltm]

This looks to be cleared now.

[kltm]

New problematic example:

• [x] http://amigo-exp.geneontology.io/gannet?query=q%3D*%3A*%0D%0Afq%3Ddocument_category%3Cscript%3Ealert(document.domain)%3C/script%3E%3E%3Aannotation%0D%0Afq%3Dsource%3A%22TAIR%22%0D%0Afq%3Devidence_type%3A%22IEA%22%0D%0A&mirror=amigo_2_local_default

[kltm]

I think I got it.