Merge pull request blockscout#4713 from blockscout/vb-search-xss

Search input field: sanitize input

CHANGELOG.md

@@ -16,6 +16,7 @@
 - [#4579](https://github.com/blockscout/blockscout/pull/4579) - Write contract page: Resize inputs; Improve multiplier selector
 
 ### Fixes
+- [#4713](https://github.com/blockscout/blockscout/pull/4713) - Search input field: sanitize input
 - [#4703](https://github.com/blockscout/blockscout/pull/4703) - Block Details page: Fix pagination on the Transactions tab
 - [#4686](https://github.com/blockscout/blockscout/pull/4686) - Block page: check gas limit value before division
 - [#4678](https://github.com/blockscout/blockscout/pull/4678) - Internal transactions indexer: fix issue of some pending transactions never become confirmed

apps/block_scout_web/assets/js/lib/autocomplete.js

@@ -3,6 +3,7 @@ import AutoComplete from '@tarekraafat/autocomplete.js/dist/autoComplete'
 import { getTextAdData, fetchTextAdData } from './ad'
 import { DateTime } from 'luxon'
 import { appendTokenIcon } from './token_icon'
+import xss from 'xss'
 
 const placeHolder = 'Search by address, token symbol, name, transaction hash, or block number'
 const dataSrc = async (query, id) => {
@@ -118,6 +119,9 @@ const config = (id) => {
       element: (item, data) => resultItemElement(item, data),
       highlight: 'autoComplete_highlight'
     },
+    query: (input) => {
+      return xss(input)
+    },
     events: {
       input: {
         focus: () => {

apps/block_scout_web/assets/package.json

@@ -20,7 +20,7 @@
   },
   "dependencies": {
     "@fortawesome/fontawesome-free": "^5.15.3",
-    "@tarekraafat/autocomplete.js": "^10.2.5",
+    "@tarekraafat/autocomplete.js": "^10.2.6",
     "assert": "^2.0.0",
     "bignumber.js": "^9.0.0",
     "bootstrap": "^4.3.1",
@@ -53,7 +53,8 @@
     "urijs": "^1.19.2",
     "url": "^0.11.0",
     "util": "^0.12.3",
-    "web3": "^1.3.5"
+    "web3": "^1.3.5",
+    "xss": "^1.0.9"
   },
   "devDependencies": {
     "@babel/core": "^7.14.6",