Fix XSS vulnerabilities in extended metadata helpers, samples helper, and views

Agent-Logs-Url: https://github.com/seek4science/seek/sessions/a0db5e17-9a4c-4ea4-b006-fc781a2ff034

Co-authored-by: whomingbird <42063448+whomingbird@users.noreply.github.com>

Author: Copilot

app/helpers/bootstrap_helper.rb

@@ -29,6 +29,7 @@ def button_link_to(text, icon, url, options = {})
 
   # A collapsible panel
   def folding_panel(title = nil, collapsed = false, options = {}, &block)
+    title = h(title) unless title.nil? || title.html_safe?
     title += " <span class=\"#{collapsed ? 'caret' : 'caret-up'}\"></span>".html_safe
 
     options[:collapsible] = true
@@ -70,12 +71,12 @@ def panel(title = nil, options = {}, &block)
 
   def panel_title(title, options, heading_options)
     content_tag(:div, heading_options) do # The panel title
-      title_html = ''
+      title_html = ''.html_safe
       if (help_text = options.delete(:help_text))
-        title_html << "#{help_icon(help_text)} "
+        title_html << "#{help_icon(help_text)} ".html_safe
       end
       title_html << title
-      title_html.html_safe
+      title_html
     end
   end
 

app/helpers/extended_metadata_helper.rb

@@ -12,7 +12,7 @@ def extended_metadata_form_field_for_attribute(attribute, resource, parent_resou
 
     if attribute.linked_extended_metadata? || attribute.linked_extended_metadata_multi?
       content_tag(:span, class: 'linked_extended_metdata') do
-        folding_panel(attribute.label, false, id:attribute.title) do
+        folding_panel(h(attribute.label), false, id:attribute.title) do
             attribute_form_element(attribute, resource.extended_metadata.get_attribute_value(attribute.title), element_name, element_class)
         end
       end
@@ -23,10 +23,9 @@ def extended_metadata_form_field_for_attribute(attribute, resource, parent_resou
   end
 
   def extended_metadata_attribute_description(description)
-    html = '<p class="help-block">'
-    html += '<small>'+description+'</small>'
-    html += '</p>'
-    html.html_safe
+    content_tag(:p, class: 'help-block') do
+      content_tag(:small, description)
+    end
   end
 
   def render_extended_metadata_value(attribute, resource)
@@ -38,7 +37,7 @@ def render_extended_metadata_value(attribute, resource)
     content_tag(:div, class: 'extended_metadata') do
       if attribute.linked_extended_metadata? || attribute.linked_extended_metadata_multi?
         content_tag(:span, class: 'linked_extended_metdata_display') do
-          folding_panel(attribute.label, false, id: attribute.title) do
+          folding_panel(h(attribute.label), false, id: attribute.title) do
             display_attribute(resource.extended_metadata, attribute, link: true)
           end
         end

app/helpers/samples_helper.rb

@@ -51,7 +51,7 @@ def linked_extended_metadata_form_field(attribute, value, element_name, element_
 
     attribute.linked_extended_metadata_type.extended_metadata_attributes.each do |attr|
       attr_element_name = "#{element_name}[#{attr.title}]"
-      html += '<div class="form-group"><label>'+attr.label+'</label>'
+      html += '<div class="form-group"><label>'+h(attr.label)+'</label>'
       html +=  required_span if attr.required?
       v = value ? value[attr.title] : nil
       if attr.linked_extended_metadata?
@@ -104,16 +104,16 @@ def authorised_samples(projects = nil)
   end
 
   def sample_attribute_display_title(attribute)
-    title = attribute.title
+    title = h(attribute.title)
     if (unit = attribute.unit) && !unit.dimensionless?
-      title += " ( #{unit} )"
+      title += h(" ( #{unit} )")
     end
     unless attribute.pid.blank?
       title += content_tag(:small, 'data-tooltip'=>attribute.pid) do
-        " [ "+attribute.short_pid+ " ]"
-      end.html_safe
+        (" [ "+h(attribute.short_pid)+ " ]").html_safe
+      end
     end
-    title.html_safe
+    title
   end
 
   def display_attribute(resource, attribute, options = {})
@@ -194,12 +194,12 @@ def linked_extended_metadata_attribute_display(value, attribute)
       html += '<li>'
       if attr.linked_extended_metadata? || attr.linked_extended_metadata_multi?
         html += content_tag(:span, class: 'linked_extended_metdata_display') do
-          folding_panel(attr.label, true, id:attr.title) do
+          folding_panel(h(attr.label), true, id:attr.title) do
             display_attribute_value(v, attr)
           end
         end
       else
-        html += '<label>'+attr.title+'</label>'+' : '
+        html += '<label>'+h(attr.title)+'</label>'+' : '
         html += display_attribute_value(v, attr)
       end
       html += '</li>'

app/views/samples/_sample_error_messages.html.erb

@@ -4,7 +4,7 @@
       <p>There were problems with the following fields:</p>
       <ul>
         <% object.errors.each do |error| %>
-          <li><%= error.full_message.html_safe %></li>
+          <li><%= error.full_message %></li>
         <% end %>
       </ul>
     </div>

app/views/samples/_table_view.html.erb

@@ -49,7 +49,7 @@
                             <%# Wrapping <div> needed for popover to display properly %>
                             <%= content_tag(:div, data: {
                                 toggle: 'popover',
-                                content: errors.map { |e| "#{attribute.title} #{e}<br/>" }.join.html_safe }) do %>
+                                content: errors.map { |e| "#{h(attribute.title)} #{e}<br/>" }.join.html_safe }) do %>
                                 <%= text_or_not_specified(sample.get_attribute_value(attribute), auto_link: link) %>
                             <% end %>
                           </td>

app/views/spreadsheets/_spreadsheet_errors.html.erb

@@ -2,7 +2,7 @@
   <h1><%= errors.size > 1 ? "Errors" : "An error"-%> occurred whilst <%= verb -%> your annotation</h1>
   <ul>
     <% errors.each do |error| %>
-      <li><%= error.full_message.html_safe %></li>
+      <li><%= error.full_message %></li>
     <% end %>
   </ul>
 </div>