From d798f1b120b63017fd9d94fcb6e972dcbb073f26 Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Thu, 29 Dec 2016 15:15:29 +0100
Subject: [PATCH] Fix XSS vulnerability in protocol keywords [SCI-632]

---
 app/controllers/protocols_controller.rb             | 4 ++++
 app/views/protocols/header/_keywords_label.html.erb | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 7778d5c08..0f715831a 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -159,6 +159,10 @@ class ProtocolsController < ApplicationController
 
   def update_keywords
     respond_to do |format|
+      # sanitize user input
+      params[:keywords].collect! do |keyword|
+        ActionController::Base.helpers.sanitize(keyword)
+      end
       if @protocol.update_keywords(params[:keywords])
         format.json {
           render json: {
diff --git a/app/views/protocols/header/_keywords_label.html.erb b/app/views/protocols/header/_keywords_label.html.erb
index 9bcd1e3a3..085b9bc55 100644
--- a/app/views/protocols/header/_keywords_label.html.erb
+++ b/app/views/protocols/header/_keywords_label.html.erb
@@ -1,5 +1,5 @@
 <% if @protocol.protocol_keywords.count > 0 %>
-  <%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{kw.name}</strong>" }.join(", ").html_safe %>
+  <%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{sanitize(kw.name)}</strong>" }.join(", ").html_safe %>
 <% else %>
   <em><%= t("protocols.no_keywords") %></em>
-<% end %>
\ No newline at end of file
+<% end %>