Skip to content

N°9235 - Sanitize oql_clause query parameter in universal search page#833

Merged
Lenaick merged 2 commits intosupport/3.2from
issue/9235-refected-xss-universal-search-oql-clause
Mar 9, 2026
Merged

N°9235 - Sanitize oql_clause query parameter in universal search page#833
Lenaick merged 2 commits intosupport/3.2from
issue/9235-refected-xss-universal-search-oql-clause

Conversation

@Lenaick
Copy link
Contributor

@Lenaick Lenaick commented Mar 9, 2026
edited
Loading

Base information

Question Answer
Related to a SourceForge thread / Another PR / Combodo ticket? N°9235
Type of change? Bug fix

Symptom

The oql_clause parameter in the page Universal Search accepts unsanitized input, which is reflected in the response without proper encoding

Cause

The oql_clause parameter is not sanitized before being rendered in HTML

Proposed solution (bug and enhancement)

Remove the OQL from HTML comments because it is no longer useful today

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have tested all changes I made on an iTop instance
  • I have added a unit test, otherwise I have explained why I couldn't
  • Is the PR clear and detailed enough so anyone can understand digging in the code?

@CombodoApplicationsAccount CombodoApplicationsAccount added the internal Work made by Combodo label Mar 9, 2026
@Lenaick Lenaick requested review from bdalsass and steffunky March 9, 2026 09:04
steffunky
steffunky approved these changes Mar 9, 2026
View reviewed changes
Copy link
Member

@steffunky steffunky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this addition of the query as a comment to the page even useful ? 😁

@Molkobain
Copy link
Contributor

Molkobain commented Mar 9, 2026

It's true that one could question the relevance of the code itself 😅

@Hipska
Copy link
Contributor

Hipska commented Mar 9, 2026

Why not take actions on this questioning and actually remove it?

@Molkobain
Copy link
Contributor

Molkobain commented Mar 9, 2026

Why not take actions on this questioning and actually remove it?

Actually @Lenaick is gonna ask @dflaven :)

@Lenaick
Copy link
Contributor Author

Lenaick commented Mar 9, 2026

@dflaven confirms that this comment was used at the time to debug the query.
It is no longer useful today, so I have removed it

@Lenaick Lenaick merged commit 9792358 into support/3.2 Mar 9, 2026
@Lenaick Lenaick deleted the issue/9235-refected-xss-universal-search-oql-clause branch March 9, 2026 16:06
@Molkobain Molkobain added this to the 3.2.3 milestone Mar 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Molkobain Molkobain Molkobain approved these changes

@steffunky steffunky steffunky approved these changes

@bdalsass bdalsass Awaiting requested review from bdalsass

Assignees

@Lenaick Lenaick

Labels

internal Work made by Combodo

Projects

None yet

Milestone

3.2.3

Development

Successfully merging this pull request may close these issues.

5 participants

@Lenaick @Molkobain @Hipska @steffunky @CombodoApplicationsAccount