Query text parameter not sanitized
Created by: gneissone
Describe the bug This got flagged by a security scanning application as a potential vulnerability. Pagination in search results is handled via URL parameters and javascript. The input is not sanitized, however, so a bad actor could execute something via the VIVO site's domain.
To Reproduce For example, try this path on any VIVO running the latest code: {vivo url}/search?querytext=
Expected behavior The arbitrary javascript passed via the URL should not be executed
Environment (please complete the following information):
- Browser: Chrome
- Tomcat version: 9.0.78
- VIVO version: 1.14.1-SNAPSHOT
- Apache Solr 9.3.0
Additional context https://github.com/vivo-project/Vitro/blob/03517df59ab02108f81f19d8ff383e20f9c556ca/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl#L55