From 3b7a3a7450b35eb4c9e7248fc87e5d2c7e7f24e9 Mon Sep 17 00:00:00 2001
From: alexkiro <1538458+alexkiro@users.noreply.github.com>
Date: Tue, 16 Jul 2024 10:52:54 +0300
Subject: [PATCH] Fix codeql issues (#639)

* Add integrity checks to third-party scripts

* Add the form role for accessibility

* Add test for search and global goals

* Fix potential XSS

This is only a debug dev-only tool, but will still trigger CodeQL

* Remove unused code

- Initially added in f116bb521259485784e390cacef6c427e1509ba3
- Removed usage in 9b46ff7b49895675e3ad39902aca3020a895584b
---
 cypress/e2e/2014-2021/test-global-goals.cy.js | 12 ++++
 cypress/e2e/2014-2021/test-search.cy.js       | 11 +++
 public/cooperation.html                       |  2 +-
 public/funding.html                           |  2 +-
 public/index.html                             |  2 +-
 public/projects.html                          |  2 +-
 templates/base.html                           |  2 +-
 templates/embed_sandbox.html                  |  2 +-
 templates/search/main.html                    | 68 ++++++-------------
 9 files changed, 50 insertions(+), 53 deletions(-)
 create mode 100644 cypress/e2e/2014-2021/test-global-goals.cy.js
 create mode 100644 cypress/e2e/2014-2021/test-search.cy.js

diff --git a/cypress/e2e/2014-2021/test-global-goals.cy.js b/cypress/e2e/2014-2021/test-global-goals.cy.js
new file mode 100644
index 00000000..5eae6482
--- /dev/null
+++ b/cypress/e2e/2014-2021/test-global-goals.cy.js
@@ -0,0 +1,12 @@
+describe("test projects", () => {
+  it("check projects", () => {
+    cy.visit("/");
+    cy.get("a").contains("Global Goals").click();
+    cy.get(".indicator")
+      .first()
+      .should("contain", "50,000")
+      .and("contain", "Indicator 1");
+    cy.contains("€42,000");
+    cy.contains("Life on land");
+  });
+});
diff --git a/cypress/e2e/2014-2021/test-search.cy.js b/cypress/e2e/2014-2021/test-search.cy.js
new file mode 100644
index 00000000..15e3cd81
--- /dev/null
+++ b/cypress/e2e/2014-2021/test-search.cy.js
@@ -0,0 +1,11 @@
+describe("test projects", () => {
+  it("check projects", () => {
+    cy.visit("/");
+    cy.get("form[role=search] input[type=search]").type("programme");
+    cy.get("form[role=search]").submit();
+    cy.contains("1 programme found");
+    cy.contains("Romania");
+    cy.contains("Completed");
+    cy.contains("Programme 1");
+  });
+});
diff --git a/public/cooperation.html b/public/cooperation.html
index 4211f914..1f135daf 100644
--- a/public/cooperation.html
+++ b/public/cooperation.html
@@ -42,7 +42,7 @@
           <li><a href="/projects.html?">Projects</a></li>
         </ul>
       </nav>
-      <form action="/search/organisation/" class="header-search">
+      <form action="/search/organisation/" class="header-search" role="search">
 
         <input type="search" placeholder="Search" name="q">
         <button type="submit" title="Search" name="page" value="1">
diff --git a/public/funding.html b/public/funding.html
index f6fa5577..8fe8ee74 100644
--- a/public/funding.html
+++ b/public/funding.html
@@ -42,7 +42,7 @@
           <li><a href="/projects.html?">Projects</a></li>
         </ul>
       </nav>
-      <form action="/search/programme/" class="header-search">
+      <form action="/search/programme/" class="header-search" role="search">
 
         <input type="search" placeholder="Search" name="q">
         <button type="submit" title="Search" name="page" value="1">
diff --git a/public/index.html b/public/index.html
index 8ea4ce24..2cbf1419 100644
--- a/public/index.html
+++ b/public/index.html
@@ -43,7 +43,7 @@
           <li><a href="/projects.html?">Projects</a></li>
         </ul>
       </nav>
-      <form action="/search/programme/" class="header-search">
+      <form action="/search/programme/" class="header-search" role="search">
 
         <input type="search" placeholder="Search" name="q">
         <button type="submit" title="Search" name="page" value="1">
diff --git a/public/projects.html b/public/projects.html
index 08106ecb..72f5a5cc 100644
--- a/public/projects.html
+++ b/public/projects.html
@@ -42,7 +42,7 @@
           <li><a href="/projects.html?" class="active">Projects</a></li>
         </ul>
       </nav>
-      <form action="/search/project/" class="header-search">
+      <form action="/search/project/" class="header-search" role="search">
 
         <input type="search" placeholder="Search" name="q">
         <button type="submit" title="Search" name="page" value="1">
diff --git a/templates/base.html b/templates/base.html
index 38b56287..23ab6f8e 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -50,7 +50,7 @@
               {% endfor %}
             </div>
           {% endfor %}
-          <form class="header-search" action="{% url view|search_view_name:current_view %}">
+          <form class="header-search" action="{% url view|search_view_name:current_view %}" role="search">
             <input type="search" placeholder="Search" name="q">
             {% if current_period != 'compare' %}
               <input type="text" name="period" hidden value="{{ current_period }}" />
diff --git a/templates/embed_sandbox.html b/templates/embed_sandbox.html
index 1f6f2273..0cd31702 100644
--- a/templates/embed_sandbox.html
+++ b/templates/embed_sandbox.html
@@ -9,7 +9,7 @@
 <div style="padding: 20px; font-size: 16px;">
   <label>
     Embed Component:
-    <select onchange="location = this.value;">
+    <select onchange="window.location.href = new window.URL(this.value, window.location).toString();">
       <option
           value="{% url 'frontend:embed_sandbox' %}"
           {% if not selected_component or not selected_scenario %}selected{% endif %}
diff --git a/templates/search/main.html b/templates/search/main.html
index 041c9700..a395c54e 100644
--- a/templates/search/main.html
+++ b/templates/search/main.html
@@ -5,8 +5,18 @@
 {% load humanize %}
 
 {% block head %}
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js"></script>
+  <script
+      src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js"
+      integrity="sha512-v2CJ7UaYy4JwqLDIrZUI/4hqeoQieOmAZNXBeQyjo21dadnwR+8ZaIJVT8EE2iyI61OV8e6M8PP2/4hpQINQ/g=="
+      crossorigin="anonymous"
+      referrerpolicy="no-referrer"
+  ></script>
+  <script
+      src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js"
+      integrity="sha512-2ImtlRlf2VVmiGZsjm9bEyhjGW4dU7B6TNwh/hx/iSByxNENtj3WVE6o/9Lj4TJeVXPi4bnOIMXFIJJAeufa0A=="
+      crossorigin="anonymous"
+      referrerpolicy="no-referrer"
+  ></script>
 {% endblock %}
 
 {% block top %}
@@ -79,9 +89,9 @@ <h1 class="page-title">Search</h1>
             </option>
           {% endfor %}
         </select>
-          <a rel="nofollow" href="{{ export_url }}">
-            Export
-          </a>
+        <a rel="nofollow" href="{{ export_url }}">
+          Export
+        </a>
       </span>
     </div>
 
@@ -197,7 +207,7 @@ <h3 class="sidebar-title">Search filters</h3>
   <script>
   document.addEventListener("DOMContentLoaded", () => {
     _createApp(
-      Dataviz.SearchRoot
+        Dataviz.SearchRoot
     ).mount("#content");
   });
 
@@ -232,12 +242,12 @@ <h3 class="sidebar-title">Search filters</h3>
       var select = $(this);
       if (select.data("kind") && select.data("field")) {
         all_select2.push(
-          select.select2(
-            select2AjaxFactory(
-              select.data("kind"),
-              select.data("field")
+            select.select2(
+                select2AjaxFactory(
+                    select.data("kind"),
+                    select.data("field")
+                )
             )
-          )
         );
       } else {
         all_select2.push(select.select2());
@@ -254,42 +264,6 @@ <h3 class="sidebar-title">Search filters</h3>
       });
     });
 
-    var minimized_elements = $(".truncate");
-    var minimize_character_count = 500;
-
-    minimized_elements.each(function () {
-      var t = $(this).text();
-      if (t.length < minimize_character_count) return;
-
-      $(this).html(
-        t.slice(0, minimize_character_count) + "<span>... </span><a href=\"#\" class=\"more\">More</a>" +
-        "<span style=\"display:none;\">" + t.slice(minimize_character_count, t.length) + " <a href=\"#\" class=\"less\">Less</a></span>"
-      );
-    });
-
-    $("a.more", minimized_elements).click(function (event) {
-      event.preventDefault();
-      var $this = $(this);
-      $(this).next().animate({ "height": "show" }, {
-        duration: 300,
-        done: function () {
-          $this.animate({ "width": "hide" });
-          $this.prev().animate({ "width": "hide" });
-        }
-      });
-    });
-
-    $("a.less", minimized_elements).click(function (event) {
-      event.preventDefault();
-      $(this).parent().animate({ "height": "hide" }, {
-        duration: 300,
-        done: function () {
-          $(this).prev().animate({ "opacity": "show" }, 300);
-          $(this).prev().prev().animate({ "opacity": "show" }, 300);
-        }
-      });
-    });
-
     //Fixing ie form attribute issue
     $visible_input = $(".visible-search-input");
     $hidden_input = $(".hidden-search-input");