From b0d288d2efd0f8020d04ca95b8e0738a9eab6c51 Mon Sep 17 00:00:00 2001
From: Jyri-Petteri Paloposki <jyri-petteri.paloposki@iki.fi>
Date: Thu, 25 Jul 2024 15:34:44 +0300
Subject: [PATCH] Fix reflected XSS vulnerabilities in some views

---
 app/controllers/todos_controller.rb    |  6 ++++--
 app/views/layouts/application.html.erb | 12 ++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
index 1c852420e..05b7a95a8 100644
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@@ -863,8 +863,10 @@ def get_params_for_tag_view
     end
 
     @single_tag = @tag_expr.size == 1 && @tag_expr[0].size == 1
-    @tag_name = @tag_expr[0][0]
-    @tag_title = @single_tag ? @tag_name : tag_title(@tag_expr)
+
+    # These are used in the templates, sanitise to prevent XSS.
+    @tag_name = sanitize(@tag_expr[0][0])
+    @tag_title = sanitize(@single_tag ? @tag_name : tag_title(@tag_expr))
   end
 
   def filter_format_for_tag_view
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 31e5808e9..4640637a8 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -7,14 +7,14 @@
     <%= javascript_include_tag "application" %>
     <%= csrf_meta_tags %>
     <script type="text/javascript">
-      var SOURCE_VIEW = '<%=@source_view%>';
-      var AUTH_TOKEN = '<%= raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>'
-      var TAG_NAME = '<%= @tag_name ? @tag_name : "" %>'
-      var GROUP_VIEW_BY = '<%= @group_view_by ? @group_view_by : "" %>'
+      var SOURCE_VIEW = '<%=j @source_view %>';
+      var AUTH_TOKEN = '<%=j raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>'
+      var TAG_NAME = '<%=j @tag_name ? @tag_name : "" %>'
+      var GROUP_VIEW_BY = '<%=j @group_view_by ? @group_view_by : "" %>'
       var defaultContexts = <%= default_contexts_for_autocomplete.html_safe rescue '{}' %>;
       var defaultTags = <%= default_tags_for_autocomplete.html_safe rescue '{}' %>;
-      var dateFormat = '<%= date_format_for_date_picker %>';
-      var weekStart = '<%= current_user.prefs.week_starts %>';
+      var dateFormat = '<%=j date_format_for_date_picker %>';
+      var weekStart = '<%=j current_user.prefs.week_starts %>';
       function relative_to_root(path) { return '<%= root_url %>'+path; };
       <% if current_user.prefs.refresh != 0 -%>
         setup_auto_refresh(<%= current_user.prefs["refresh"].to_i*60000 %>);