From 48b4dbe1fef4a5e3eed6e46ae2d1f829e2a7cdfa Mon Sep 17 00:00:00 2001
From: Giga Chubinidze <giga@scinote.net>
Date: Mon, 4 Mar 2024 23:09:38 +0400
Subject: [PATCH] HTML report from exported project security issue [SCI-10237]

---
 app/models/my_module.rb                              | 12 ++++++++----
 .../_my_module_result_table_element.html.erb         |  4 ++--
 .../reports/elements/_step_table_element.html.erb    |  4 ++--
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/models/my_module.rb b/app/models/my_module.rb
index c8600f90a..627fb7bea 100644
--- a/app/models/my_module.rb
+++ b/app/models/my_module.rb
@@ -349,15 +349,15 @@ class MyModule < ApplicationRecord
     rows.find_each do |row|
       row_json = []
       row_json << row.code
-      row_json << (row.archived ? "#{row.name} [#{I18n.t('general.archived')}]" : row.name)
+      row_json << (row.archived ? "#{escape_script_tag(row.name)} [#{I18n.t('general.archived')}]" : escape_script_tag(row.name))
       row_json << I18n.l(row.created_at, format: :full)
-      row_json << row.created_by.full_name
+      row_json << escape_script_tag(row.created_by.full_name)
       if repository.has_stock_management?
         if repository.is_a?(RepositorySnapshot)
-          consumed_stock = row.repository_stock_consumption_cell&.value&.formatted
+          consumed_stock = escape_script_tag(row.repository_stock_consumption_cell&.value&.formatted)
           row_json << (consumed_stock || 0)
         else
-          row_json << row.row_consumption(row.stock_consumption)
+          row_json << escape_script_tag(row.row_consumption(row.stock_consumption))
         end
       end
       data << row_json
@@ -484,6 +484,10 @@ class MyModule < ApplicationRecord
     protocols << Protocol.new_blank_for_module(self)
   end
 
+  def escape_script_tag(value)
+    value&.gsub(/\</, '&lt;')&.gsub(/\>/, '&gt;')
+  end
+
   def coordinates_uniqueness_check
     if experiment && experiment.my_modules.active.where(x: x, y: y).where.not(id: id).any?
       errors.add(:position, I18n.t('activerecord.errors.models.my_module.attributes.position.not_unique'))
diff --git a/app/views/reports/elements/_my_module_result_table_element.html.erb b/app/views/reports/elements/_my_module_result_table_element.html.erb
index 9333b6d00..2464735b8 100644
--- a/app/views/reports/elements/_my_module_result_table_element.html.erb
+++ b/app/views/reports/elements/_my_module_result_table_element.html.erb
@@ -26,8 +26,8 @@
     </div>
   </div>
   <div class="report-element-body">
-    <input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8 %>" />
-    <input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json %>" />
+    <input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
+    <input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
     <div class="hot-table-container"></div>
     <table class="report-common-table-format"></table>
   </div>
diff --git a/app/views/reports/elements/_step_table_element.html.erb b/app/views/reports/elements/_step_table_element.html.erb
index 91e3e5ddc..e3334f08c 100644
--- a/app/views/reports/elements/_step_table_element.html.erb
+++ b/app/views/reports/elements/_step_table_element.html.erb
@@ -23,8 +23,8 @@
     </div>
   </div>
   <div class="report-element-body">
-    <input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8 %>" />
-    <input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json %>" />
+    <input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
+    <input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
     <div class="hot-table-container"></div>
     <table class="report-common-table-format"></table>
   </div>