e4c2e7d703179df583c9749af4f03f5eefe36d49 hiram Sat Nov 16 16:23:30 2024 -0800 can safely limit all incoming strings to a safe length before passing on refs #32596 diff --git src/hg/js/assemblySearch.js src/hg/js/assemblySearch.js index f2ce780..95f885d 100644 --- src/hg/js/assemblySearch.js +++ src/hg/js/assemblySearch.js @@ -4,30 +4,31 @@ var debug = true; var measureTiming = true; var urlParams; var query = ""; var maxItemsOutput = 500; var asmIdText = null; // adjust default here and in assemblySearch.html var browserExist = "mayExist"; var betterCommonName = null; var comment = null; var stateObject = {}; // maintain page state var requestSubmitButton = null; var completedAsmId = new Map(); // keep track of requests completed // so they won't be repeated +var maxLength = 1024; // limit all incoming strings to this length // This function is called on DOMContentLoaded as the initialization // procedure for first time page draw document.addEventListener('DOMContentLoaded', function() { // allow semi colon separators as well as ampersand var urlArgList = window.location.search.replaceAll(";", "&"); urlParams = new URLSearchParams(urlArgList); if (urlParams.has('level')) { let asmLevel = urlParams.get('level'); document.getElementById('asmLevelAny').checked = true; // default // only one of these four cases will be true if (asmLevel === "complete") document.getElementById('asmLevelComplete').checked = true; if (asmLevel === "chromosome") document.getElementById('asmLevelChromosome').checked = true; @@ -107,32 +108,35 @@ // add extra element to the help text bullet list for API example if (debug) { var searchTipList = document.getElementById("searchTipList"); // Create a new list item var li = document.createElement("li"); li.innerHTML = "example API call: <span id=\"recentAjax\">n/a</span>"; // Append the new list item to the ordered list searchTipList.appendChild(li); } var searchForm = document.getElementById('searchForm'); var advancedSearchButton = document.getElementById('advancedSearchButton'); var searchInput = document.getElementById('searchBox'); var clearButton = document.getElementById('clearSearch'); asmIdText = document.getElementById("formAsmId"); + asmIdText.textContent = asmIdText.textContent.substring(0,maxLength); betterCommonName = document.getElementById("betterCommonName"); + betterCommonName.value = betterCommonName.value.substring(0,maxLength); comment = document.getElementById("comment"); + comment.value = comment.value.substring(0,maxLength); requestSubmitButton = document.getElementById("submitButton"); document.getElementById("modalFeedback").addEventListener("submit", checkForm, false); modalInit(); var tableBody = document.getElementById('tableBody'); tableBody.innerHTML = '<tr><td style="text-align:center;" colspan=8><b>(empty table)</b></td></tr>'; clearButton.addEventListener('click', function() { searchInput.value = ''; // Clear the search input field }); searchForm.addEventListener('submit', function(event) { event.preventDefault(); // Prevent form submission // the trim() removes stray white space before or after the string @@ -627,40 +631,42 @@ } closeModal(e); return; } var form = (e.target) ? e.target : e.srcElement; if(form.name.value === "") { alert("Please enter your Name"); form.name.focus(); if (e.preventDefault) { e.preventDefault(); } else { e.returnValue = false; } return; } + form.name.value = form.name.value.substring(0,maxLength); if(form.email.value === "") { alert("Please enter a valid Email address"); form.email.focus(); if (e.preventDefault) { e.preventDefault(); } else { e.returnValue = false; } return; } + form.email.value = form.email.value.substring(0,maxLength); // validation regex from: // https://www.w3resource.com/javascript/form/email-validation.php // another example from // https://www.simplilearn.com/tutorials/javascript-tutorial/email-validation-in-javascript // var validRegex = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/; // another example from // https://ui.dev/validate-email-address-javascript/ // return /\S+@\S+\.\S+/.test(email) // return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email) // var re = /^[^\s@]+@[^\s@]+$/; // if (re.test(email)) { OK } // var validEmail = /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/; var validEmail = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/; if(! validEmail.test(form.email.value)) { @@ -691,31 +697,31 @@ var sciName = "n/a"; var descr = "n/a"; var i = 0; for (i = 0; i < colGroup.children.length; i++) { if (colGroup.children[i].id === "comName") { comName = pTable.rows[thisRow].cells[i].innerText; } else if (colGroup.children[i].id === "sciName") { sciName = pTable.rows[thisRow].cells[i].innerText; } else if (colGroup.children[i].id === "description") { descr = pTable.rows[thisRow].cells[i].innerText; } } document.getElementById("commonName").textContent = comName; document.getElementById("formSciName").textContent = sciName; document.getElementById("formAsmId").textContent = e.name; - document.getElementById("comment").textContent = descr; + document.getElementById("comment").value = descr; if (completedAsmId.has(e.name)) { requestSubmitButton.value = "request completed"; requestSubmitButton.disabled = false; document.getElementById("modalWrapper").className = "overlay"; return; } else { completedAsmId.set(e.name, true); requestSubmitButton.value = "Submit request"; } document.getElementById("modalWrapper").className = "overlay"; requestSubmitButton.disabled = false; var overflow = modalWindow.offsetHeight - document.documentElement.clientHeight; if (overflow > 0) { modalWindow.style.maxHeight = (parseInt(window.getComputedStyle(modalWindow).height) - overflow) + "px"; }