Can't Filter By Topic When Using Multi-Word Topics on Tickets

[aelfric]

I tried to assign a topic of "Future Work" to some of our tickets. If I click that topic in the left menu to filter, the screen shows an empty list.

By default clicking the topic label points to a URL like this and the list is empty: https://git.firmcover.com/tickets/?q=topic:"Future+Work?"&r=[repo_name]

If I manually remove the quotes, one ticket with that topic shows up, but in my case there are five of them that should show up.

[flaix]

The log shows: [mx:run] 2020-10-29 22:36:57 [WARN ] XSS filter triggered on tickets URL parameter: q=topic:"Future Work"

[flaix]

The XSS filter that triggers here is in GitblitParamUrlCodingStrategy, a very central place. All request parameter decoding is done in this class, i.e. also for requests the incoming parameters are already XSS encoded.

In this particular case, the filter/query included in the link is a Lucene query string, which can be directly used for a Lucene query. Wicket will unescape the percent escaped double quote and the XSS filter will then complain about the double quote and escape it again. The result is an unusable query string.

One question is if we really need to put the Lucene query verbatim into the URL.

But the underlying problem is way more complex. Right now Gitblit has the strategy to XSS treat incoming data. This causes problems at various places, because the incoming data may be valid the way it is for many actions, but not for putting it unfiltered in to a HTML page. Instead, XSS filtering should be done for all elements that end up in a HTML page, so when creating output, not already at input. But to disable the XSS filter at the ingress, we first need to check all code that proper XSS filtering is in place in the egress. Because currently the code will rely on the input being already filtered.

So this is more than a quick fix. It could be implemented in a quick hack, but I'd rather solve the actual problem of XSS filtering the input.