Fix XSS vulnerabilities in the instant search plugin. Fix code style errors

- Substitute the 'throttle' function by the 'debounce'
- Add a striping html tags from a response result
- Add a validation of a search result url

Author: voronkovich

app/Resources/assets/js/jquery.instantSearch.js

@@ -1,4 +1,17 @@
-// jQuery plugin for an instant searching
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+/**
+ * jQuery plugin for an instant searching.
+ *
+ * @author Oleg Voronkovich <[email protected]>
+ */
 (function($) {
     $.fn.instantSearch = function(config) {
         return this.each(function() {
@@ -7,25 +20,53 @@
     };
 
     var defaultConfig = {
+        allowedTags: '',
         minQueryLength: 2,
         maxPreviewItems: 10,
         previewDelay: 500,
         noItemsFoundMessage: 'No items found'
     };
 
-    var throttle = (function(){
-        var timer = 0;
-        return function(callback, ms){
-            clearTimeout (timer);
-            timer = setTimeout(callback, ms);
+    function debounce(fn, delay) {
+        var timer = null;
+        return function () {
+            var context = this, args = arguments;
+            clearTimeout(timer);
+            timer = setTimeout(function () {
+                fn.apply(context, args);
+            }, delay);
         };
-    })();
+    }
+
+    function isValidUrl(url) {
+        var parser = document.createElement('a');
+        try {
+            parser.href = url;
+            return !!parser.hostname;
+        } catch (e) {
+            return false;
+        }
+    }
+
+    // See http://phpjs.org/functions/strip_tags/
+    function stripTags(input, allowed) {
+        allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('');
+
+        var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi;
+        var commentsAndPhpTags = /<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi;
+
+        return input.replace(commentsAndPhpTags, '').replace(tags, function($0, $1) {
+            return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : '';
+        });
+    }
 
     var initInstantSearch = function(el, config) {
         var $input = $(el);
-        var $form = $input.parents('form').first();
+        var $form = $input.closest('form');
         var $preview = $('<ul class="search-preview list-group"></ul>').appendTo($form);
 
+        config.noItemsFoundMessage = stripTags(config.noItemsFoundMessage);
+
         var setPreviewItems = function(items) {
             $preview.empty();
 
@@ -34,7 +75,7 @@
                     return;
                 }
 
-                addItemToPreview(item)
+                addItemToPreview(item);
             });
         }
 
@@ -54,15 +95,29 @@
             }
 
             $.getJSON($form.attr('action') + '?' + $form.serialize(), function(items) {
-                if (items.length === 0) {
+                // Sanitize items
+                var sanitizedItems = [];
+                $.each(items, function(index, item) {
+                    // Url can contains a 'javascript:' code
+                    if (isValidUrl(item.url)) {
+                        sanitizedItems.push({
+                            url: item.url,
+                            result: stripTags(item.result, config.allowedTags)
+                        });
+                    }
+                });
+
+                if (sanitizedItems.length === 0) {
                     noItemsFound();
                     return;
                 }
 
-                setPreviewItems(items);
+                setPreviewItems(sanitizedItems);
             });
         }
 
+        var debouncedUpdatePreview = debounce(updatePreview, config.previewDelay);
+
         $input.focusout(function(e) {
             $preview.fadeOut();
         });
@@ -73,7 +128,7 @@
         });
 
         $input.keyup(function(e) {
-            throttle(updatePreview, config.previewDelay);
+            debouncedUpdatePreview();
         });
     }
 })(window.jQuery);

app/Resources/views/base.html.twig

@@ -160,15 +160,15 @@
             <script src="{{ asset('js/app.js') }}"></script>
 
             <script>
-                $(document).ready(function() {
-                    hljs.initHighlightingOnLoad();
-                });
-
                 $(function() {
                     $('.search-bar input[name="q"]').instantSearch({
                         noItemsFoundMessage: '{{ 'post.no_posts_found'|trans }}'
                     });
                 });
+
+                $(document).ready(function() {
+                    hljs.initHighlightingOnLoad();
+                });
             </script>
         {% endblock %}
 

src/AppBundle/Controller/BlogController.php

@@ -155,7 +155,8 @@ public function searchAction(Request $request)
 
         foreach ($posts as $post) {
             array_push($results, array(
-                'result' => $post->getTitle(),
+                // We should never trust to admin user
+                'result' => strip_tags($post->getTitle()),
                 'url' => $this->generateUrl('blog_post', array('slug' => $post->getSlug())),
             ));
         }