Sanitize exposed search term on databases page
This XSS vulnerability has been reported by OIS:
This has been verified by OIS. The https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibraries.psu.edu%2Fdatabases%2Fsearch&data=02%7C01%7Ceiosecurity%40psu.edu%7Cbfceb6f40cbc44882a5508d59011e169%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636573328834369713&sdata=U1jjy%2Fg5p1VvzmFMdVzq2MiPEOmbeAZalXiZejoXOM8%3D&reserved=0 page is susceptible to cross site scripting on the 'search?' parameter. You can copy/paste that url into Firefox and see the javascript alert popup as a test of the attack.
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibraries.psu.edu%2Fdatabases%2Fsearch%3Fquery%3DHoover%27s%253Cimg%2Bsrc%3Dxyz%2Bonerror%3Dalert(150)%253E%253Cxss_d6b6def643a2b1e045705743580a46f9%2F%253E&data=02%7C01%7Ceiosecurity%40psu.edu%7Cbfceb6f40cbc44882a5508d59011e169%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636573328834369713&sdata=pqDOFFqnjteyRovPXkyNEiqp5IVL0A0OlRcxSrLOqtQ%3D&reserved=0
@cdm32 fixed it by removing the unsanitized $_GET['query']
:
https://git.psu.edu/i-tech/ul/blob/b355469a54bc8bbaedff093907a847a33c4d7ba2/drupalroot/sites/all/modules/custom/features/psulib_databases_az/templates/views-view--search-databases--page.tpl.php#L67
If we still want to print the search term, need to sanitize properly: https://api.drupal.org/api/drupal/includes%21common.inc/group/sanitization/7.x