IBX-9793: Fixed XSS issues in several places

For more details see https://issues.ibexa.co/browse/IBX-9793

Key changes:

* IBX-9793: Fixed issues in DOM helper

* IBX-9793: Fixed issues in Text helper

* IBX-9880: Fixed issues in content type filter in search

Author: tischsoic

src/bundle/Resources/encore/ez.js.config.js

@@ -5,6 +5,7 @@ const fieldTypesPath = path.resolve(__dirname, '../public/js/scripts/fieldType/'
 const layout = [
     path.resolve(__dirname, '../public/js/scripts/helpers/icon.helper.js'),
     path.resolve(__dirname, '../public/js/scripts/helpers/text.helper.js'),
+    path.resolve(__dirname, '../public/js/scripts/helpers/dom.helper.js'),
     path.resolve(__dirname, '../public/js/scripts/helpers/request.helper.js'),
     path.resolve(__dirname, '../public/js/scripts/helpers/notification.helper.js'),
     path.resolve(__dirname, '../public/js/scripts/helpers/timezone.helper.js'),

src/bundle/Resources/public/js/scripts/admin.search.filters.js

@@ -1,4 +1,6 @@
 (function (global, doc, eZ, $, flatpickr) {
+    const { escapeHTML, escapeHTMLAttribute } = eZ.helpers.text;
+    const { dangerouslySetInnerHTML } = eZ.helpers.dom;
     let getUsersTimeout;
     const CLASS_DATE_RANGE = 'ez-filters__range-wrapper';
     const CLASS_VISIBLE_DATE_RANGE = 'ez-filters__range-wrapper--visible';
@@ -149,11 +151,11 @@
     };
     const filterByContentType = () => {
         const selectedCheckboxes = [...contentTypeCheckboxes].filter((checkbox) => checkbox.checked);
-        const contentTypesText = selectedCheckboxes.map((checkbox) => checkbox.dataset.name).join(', ');
+        const contentTypesText = selectedCheckboxes.map((checkbox) => escapeHTML(checkbox.dataset.name)).join(', ');
         const option = contentTypeSelect[0];
         const defaultText = option.dataset.default;
 
-        option.innerHTML = contentTypesText || defaultText;
+        dangerouslySetInnerHTML(option, contentTypesText || defaultText);
 
         toggleDisabledStateOnApplyBtn();
     };
@@ -214,14 +216,17 @@
             .then(showUsersList);
     };
     const createUsersListItem = (user) => {
-        return `<li data-id="${user._id}" data-name="${user.TranslatedName}" class="ez-filters__user-item">${user.TranslatedName}</li>`;
+        const userNameHtmlEscaped = escapeHTML(user.TranslatedName);
+        const userNameHtmlAttributeEscaped = escapeHTMLAttribute(user.TranslatedName);
+
+        return `<li data-id="${user._id}" data-name="${userNameHtmlAttributeEscaped}" class="ez-filters__user-item">${userNameHtmlEscaped}</li>`;
     };
     const showUsersList = (data) => {
         const hits = data.View.Result.searchHits.searchHit;
         const users = hits.reduce((total, hit) => total + createUsersListItem(hit.value.Content), '');
         const methodName = users ? 'addEventListener' : 'removeEventListener';
 
-        usersList.innerHTML = users;
+        dangerouslySetInnerHTML(usersList, users);
         usersList.classList.remove('ez-filters__user-list--hidden');
 
         doc.querySelector('body')[methodName]('click', handleClickOutsideUserList, false);

src/bundle/Resources/public/js/scripts/admin.trash.list.js

@@ -1,4 +1,6 @@
 (function (global, doc, eZ, React, ReactDOM, Translator) {
+    const { escapeHTML, escapeHTMLAttribute } = eZ.helpers.text;
+    const { dangerouslySetInnerHTML } = eZ.helpers.dom;
     let getUsersTimeout;
     const CLASS_SORTED_ASC = 'ez-table__sort-column--asc';
     const CLASS_SORTED_DESC = 'ez-table__sort-column--desc';
@@ -149,14 +151,17 @@
             .catch(() => eZ.helpers.notification.showErrorNotification(errorMessage));
     };
     const createUsersListItem = (user) => {
-        return `<li data-id="${user._id}" data-name="${user.TranslatedName}" class="ez-trash-search-form__user-item">${user.TranslatedName}</li>`;
+        const userNameHtmlEscaped = escapeHTML(user.TranslatedName);
+        const userNameHtmlAttributeEscaped = escapeHTMLAttribute(user.TranslatedName);
+
+        return `<li data-id="${user._id}" data-name="${userNameHtmlAttributeEscaped}" class="ez-trash-search-form__user-item">${userNameHtmlEscaped}</li>`;
     };
     const showUsersList = (data) => {
         const hits = data.View.Result.searchHits.searchHit;
         const users = hits.reduce((total, hit) => total + createUsersListItem(hit.value.Content), '');
         const methodName = users ? 'addEventListener' : 'removeEventListener';
 
-        usersList.innerHTML = users;
+        dangerouslySetInnerHTML(usersList, users);
         usersList.classList.remove('ez-trash-search-form__user-list--hidden');
 
         doc.querySelector('body')[methodName]('click', handleClickOutsideUserList, false);

src/bundle/Resources/public/js/scripts/helpers/dom.helper.js

@@ -0,0 +1,22 @@
+(function (global, doc, eZ) {
+    const { escapeHTML } = eZ.helpers.text;
+    const safelySetInnerHTML = (node, text) => {
+        node.innerHTML = escapeHTML(text);
+    };
+
+    const dangerouslySetInnerHTML = (node, text) => {
+        node.innerHTML = text;
+    };
+
+    const dangerouslyInsertAdjacentHTML = (node, position, text) => {
+        const escapedText = text;
+
+        node.insertAdjacentHTML(position, escapedText);
+    };
+
+    eZ.addConfig('helpers.dom', {
+        safelySetInnerHTML,
+        dangerouslySetInnerHTML,
+        dangerouslyInsertAdjacentHTML,
+    });
+})(window, window.document, window.eZ);

src/bundle/Resources/public/js/scripts/helpers/text.helper.js

@@ -1,4 +1,4 @@
-(function(global, doc, eZ) {
+(function (global, doc, eZ) {
     const escapeHTML = (string) => {
         const stringTempNode = doc.createElement('div');
 
@@ -7,7 +7,21 @@
         return stringTempNode.innerHTML;
     };
 
+    const escapeHTMLAttribute = (string) => {
+        if (string === null) {
+            return '';
+        }
+
+        return String(string)
+            .replace(/&/g, '&')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#039;');
+    };
+
     eZ.addConfig('helpers.text', {
         escapeHTML,
+        escapeHTMLAttribute,
     });
 })(window, window.document, window.eZ);