From dc3960c5f89a5bb8711d184fadccc167cd2f6ba8 Mon Sep 17 00:00:00 2001
From: Veloman Yunkan <veloman.yunkan@gmail.com>
Date: Thu, 25 Jan 2024 15:37:31 +0400
Subject: [PATCH] Fix against a malicious "</script>" in KIWIX_RESPONSE_DATA

---
 src/server/response.cpp | 10 +++++++++-
 test/server.cpp         |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/server/response.cpp b/src/server/response.cpp
index 8ccf8c52a..7520ab1cd 100644
--- a/src/server/response.cpp
+++ b/src/server/response.cpp
@@ -34,6 +34,7 @@
 #include <array>
 #include <list>
 #include <map>
+#include <regex>
 
 // This is somehow a magic value.
 // If this value is too small, we will compress (and lost cpu time) too much
@@ -330,7 +331,14 @@ std::string ContentResponseBlueprint::Data::asJSON() const
 {
   std::ostringstream oss;
   this->dumpJSON(oss);
-  return oss.str();
+
+  // This JSON is going to be used in HTML inside a <script></script> tag.
+  // If it contains "</script>" (or "</script >") as a substring, then the HTML
+  // parser will be confused. Since for a valid JSON that may happen only inside
+  // a JSON string, we can safely take advantage of the answers to
+  // https://stackoverflow.com/questions/28259389/how-to-put-script-in-a-javascript-string
+  // and work around the issue by inserting an otherwise harmless backslash.
+  return std::regex_replace(oss.str(), std::regex("</script"), "</scr\\ipt");
 }
 
 ContentResponseBlueprint::ContentResponseBlueprint(const RequestContext* request,
diff --git a/test/server.cpp b/test/server.cpp
index 4a188619d..80f8e3ae0 100644
--- a/test/server.cpp
+++ b/test/server.cpp
@@ -817,7 +817,7 @@ TEST_F(ServerTest, Http404HtmlError)
     { /* url */ R"(/ROOT%23%3F/content/zimfile/</script>)",
       book_name=="zimfile" &&
       book_title=="Ray Charles" &&
-      expected_kiwix_response_data==R"({ "CSS_URL" : false, "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "url-not-found", "params" : { "url" : "/ROOT%23%3F/content/zimfile/</script>" } } }, { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "script>", "SEARCH_URL" : "/ROOT%23%3F/search?content=zimfile&pattern=script%3E" } } } ] })" &&
+      expected_kiwix_response_data==R"({ "CSS_URL" : false, "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "url-not-found", "params" : { "url" : "/ROOT%23%3F/content/zimfile/</scr\ipt>" } } }, { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "script>", "SEARCH_URL" : "/ROOT%23%3F/search?content=zimfile&pattern=script%3E" } } } ] })" &&
       expected_body==R"(
     <h1>Not Found</h1>
     <p>