Skip to content

fix: Fix reflected XSS in blog search and emit search#1111

Open
RaminNietzsche wants to merge 1 commit into
ceph:mainfrom
RaminNietzsche:fix/search-xss-and-json
Open

fix: Fix reflected XSS in blog search and emit search#1111
RaminNietzsche wants to merge 1 commit into
ceph:mainfrom
RaminNietzsche:fix/search-xss-and-json

Conversation

@RaminNietzsche

@RaminNietzsche RaminNietzsche commented Jun 14, 2026

Copy link
Copy Markdown

Summary

Fixes reflected XSS in blog search and replaces hand-built JSON templates
that could break the search index when post titles contain quotes or special
characters.

Problems

1. Reflected XSS via ?q= parameter

The raw search query from urlParams.get('q') was interpolated into HTML
and assigned via innerHTML without escaping. A crafted URL could execute
arbitrary JavaScript in the visitor's browser.

2. Fragile search JSON generation

search-raw.html and search-output.html built JSON by string concatenation.
Post titles or content with " or control characters produced invalid JSON,
causing scripts/search-index.js to fail at build time.

3. Broken fetch mode (same as #1091)

mode: 'no-cors' on same-origin fetch calls returned opaque responses,
making .json() fail on every search query.

Changes

  • src/js/search-output.js: add escapeHtml(), use safeQuery in output;
    remove no-cors / credentials: 'include' from fetch
  • Replace search-raw.html / search-output.html with .11ty.js templates
    that emit JSON via JSON.stringify()
  • Use locale-aware collection tag ({locale}-blog-post)

Overlap with upstream

This overlaps with open PR #1091 (XSS + fetch fix in search-output.js).
This PR adds safe JSON generation, which #1091 does not cover.
screenshot

…tringify

Signed-off-by: ramin.najarbashi <ramin.najarbashi@gmail.com>
@RaminNietzsche RaminNietzsche requested a review from a team as a code owner June 14, 2026 05:27
@ceph-jenkins

Copy link
Copy Markdown

Thank you for your contribution. Since you, the author, are not a member of the Ceph GitHub Org yet, our CI will not automatically run. Any member of the Ceph Org may comment "ok - to - test" (without the dashes) to allow the Jenkins jobs to run.

@RaminNietzsche

Copy link
Copy Markdown
Author

@ceph/ceph-website

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants