Describe the bug
This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.
To Reproduce
For example, try this path on any VIVO running the latest code:
{vivo url}/search?querytext=
Expected behavior
The arbitrary javascript passed via the URL should not be executed
Screenshots
Environment (please complete the following information):
Describe the bug This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.
To Reproduce For example, try this path on any VIVO running the latest code: {vivo url}/search?querytext=
Expected behavior The arbitrary javascript passed via the URL should not be executed
Screenshots
Environment (please complete the following information):
Additional context https://github.com/vivo-project/Vitro/blob/03517df59ab02108f81f19d8ff383e20f9c556ca/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl#L55