Skip to content

Revert 292 ritm1344510 #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 61 commits into
base: main
Choose a base branch
from
Open

Revert 292 ritm1344510 #298

wants to merge 61 commits into from

Conversation

@arnayv-47
Copy link
Contributor

@arnayv-47 arnayv-47 commented Jun 17, 2025

No description provided.

PrashantKF and others added 30 commits June 13, 2025 23:36
@PrashantKF @kkmoghe-gsa
Removed Netlify-cms from dependencies
864ddfd
@arnayv-47 @kkmoghe-gsa
update contact info on multiple pages
e42eaf9
@arnayv-47 @kkmoghe-gsa
readd contact to dsfs and cdac
be4d1a4
@arnayv-47 @kkmoghe-gsa
update contact
de895cc
@arnayv-47 @kkmoghe-gsa
update contact
6ff2917
@arnayv-47 @kkmoghe-gsa
add new data quality framework resource
4bde335
@arnayv-47 @kkmoghe-gsa
change question evaluation and data collection order
f6a6e04
@kkmoghe-gsa
For inline search
3c9d49c 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For inline false, to check if pagination is happening
15c6b5b 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For inline true search
bf5ea1a 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For pagination of fcsm site, inline
42414e9 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search changes
c1adafb 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search
1b8e26b 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search page
ffaf57f 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search
bd71d90 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search.js
3430411 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search.js
64c5dfa 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
script.js ref. is commented in meta.html
cd136d7 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html
810dd16 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For reverting back changes to original one
2513c87 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For commenting search
ac99e99 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search index
f6d4594 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index html
8dbd1ec 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For default search
45a3dcf 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For whole search pages
07ab870 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For step by step changes
320b076 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, a few more additions
6a85cc5 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, a few more additions 2
f834969 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, a few more additions 2
5f1e228 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, a few more additions 3
32331b5 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
kkmoghe-gsa and others added 27 commits June 13, 2025 23:54
@kkmoghe-gsa
For index.html, searchresults null cond check
41f4005 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, searchresults setAttr
b0ba36a 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, searchresults setAttr
739e0a8 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, searchresults setAttr
58d8849 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, footer note
66f7f53 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, footer note
fc5d781 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, end result notes
141aab0 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, footer note2
153d6fc 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, footer note3
4618d2c 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For index.html, footer note4
973cfda 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For css changes
5e28206 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For assets styles
410f61f 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For styles to be included
49950fe 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For renaming
881fb5d 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For style to make inline
5cb563f 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For removing console stmts
70c914a 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For style to be commited
562b46e 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For styles include
c772694 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For styles
213799f 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search.js
0563970 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search.js
90fa0fb 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For searchgov params
05f134a 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For search.js
f7c3023 
Signed-off-by: Kedar M <kedar.moghe@gsa.gov>
@kkmoghe-gsa
For gpgkey
e4b8a5d
@kkmoghe-gsa
Merge branch 'staging' into feature/OGPWEB-17405
e1e088d
@PrashantKF
Merge pull request #296 from GSA/feature/OGPWEB-17405
ec1fe60 
Feature/ogpweb 17405
@arnayv-47
Revert "Ritm1344510"
36a79b2
@arnayv-47 arnayv-47 requested a review from PrashantKF June 17, 2025 17:22
@arnayv-47 arnayv-47 self-assigned this Jun 17, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 17, 2025
View reviewed changes
_includes/scripts.html
</script>
{% endif %}

<script src="https://code.jquery.com/jquery-3.6.0.min.js" type="text/javascript"></script>

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source Medium

Script loaded from content delivery network with no integrity check.
assets/js/search.js
//console.log("Total results are : " + totalResults);

document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
document.getElementById("search-keyword").innerHTML = urlParams.get("query");

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 5 months ago

To fix the issue, the user-provided value from urlParams.get("query") must be sanitized or encoded before being assigned to innerHTML. The best approach is to use a contextual output encoding function, such as encodeHTML, to ensure that any potentially malicious characters are escaped. This prevents the execution of scripts embedded in the query parameter.

Steps to fix:

  1. Apply the encodeHTML function to sanitize the urlParams.get("query") value before assigning it to innerHTML on line 45.
  2. Ensure that the encodeHTML function is defined and properly escapes HTML special characters.
Suggested changeset 1
assets/js/search.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/search.js b/assets/js/search.js
--- a/assets/js/search.js
+++ b/assets/js/search.js
@@ -44,3 +44,3 @@
     document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
-    document.getElementById("search-keyword").innerHTML = urlParams.get("query");
+    document.getElementById("search-keyword").innerHTML = encodeHTML(urlParams.get("query"));
     document.getElementById("results-count").innerHTML = totalResults;
EOF
@@ -44,3 +44,3 @@
document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
document.getElementById("search-keyword").innerHTML = urlParams.get("query");
document.getElementById("search-keyword").innerHTML = encodeHTML(urlParams.get("query"));
document.getElementById("results-count").innerHTML = totalResults;
Copilot is powered by AI and may make mistakes. Always verify output.
assets/js/search.js

pagerLinks += '<div class="usa-footer__contact-info grid-row grid-gap"><div class="grid-col-auto"><p class="margin-top-0">Powered by <strong>Search.gov</strong></p></div></div>';

pager.innerHTML = pagerLinks;

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 5 months ago

To fix the issue, we need to ensure that any user-controlled input is properly sanitized or encoded before being inserted into the DOM. The best approach here is to use the encodeHTML function (already defined in the code) to escape special characters in the page parameter and any other user-controlled data before concatenating it into pagerLinks. This will prevent malicious scripts from being executed.

Specifically:

  1. Use encodeHTML to sanitize the page parameter and any other user-controlled values before they are added to pagerLinks.
  2. Replace all instances where page or other user-controlled data is directly concatenated into HTML strings with their sanitized versions.
Suggested changeset 1
assets/js/search.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/search.js b/assets/js/search.js
--- a/assets/js/search.js
+++ b/assets/js/search.js
@@ -103,3 +103,3 @@
       if (page > 1){
-          pagerLinks += '<a href="' + getLinkToPage(1) + '" aria-label="First page" class="pager-button">First</a>';
+          pagerLinks += '<a href="' + encodeHTML(getLinkToPage(1)) + '" aria-label="First page" class="pager-button">First</a>';
       }
@@ -112,6 +112,6 @@
       for (var i = start; i < page; i++) {
-          pagerLinks += '<a href="' + getLinkToPage(i) + '" aria-label="Page ' + i + '" class="pager-button">' + i + '</a>';
+          pagerLinks += '<a href="' + encodeHTML(getLinkToPage(i)) + '" aria-label="Page ' + encodeHTML(i.toString()) + '" class="pager-button">' + encodeHTML(i.toString()) + '</a>';
       }
 
-      pagerLinks += '<span class="margin-2, pager-button-current">Page ' + page + " of " + totalPages + "</span>";
+      pagerLinks += '<span class="margin-2, pager-button-current">Page ' + encodeHTML(page.toString()) + " of " + encodeHTML(totalPages.toString()) + "</span>";
       
@@ -119,3 +119,3 @@
       for (var j = (1*page) + 1; j <= end; j++) {
-          pagerLinks += '<a href="' + getLinkToPage(j) + '" aria-label="Page ' + j + '" class="pager-button">' + j + '</a>';
+          pagerLinks += '<a href="' + encodeHTML(getLinkToPage(j)) + '" aria-label="Page ' + encodeHTML(j.toString()) + '" class="pager-button">' + encodeHTML(j.toString()) + '</a>';
       }
@@ -127,3 +127,3 @@
       if( totalPages > 1 && page < totalPages){
-          pagerLinks += '<a href="' + getLinkToPage(totalPages) + '" aria-label="Last page" class="pager-button">Last</a>';
+          pagerLinks += '<a href="' + encodeHTML(getLinkToPage(totalPages)) + '" aria-label="Last page" class="pager-button">Last</a>';
       }		
EOF
@@ -103,3 +103,3 @@
if (page > 1){
pagerLinks += '<a href="' + getLinkToPage(1) + '" aria-label="First page" class="pager-button">First</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(1)) + '" aria-label="First page" class="pager-button">First</a>';
}
@@ -112,6 +112,6 @@
for (var i = start; i < page; i++) {
pagerLinks += '<a href="' + getLinkToPage(i) + '" aria-label="Page ' + i + '" class="pager-button">' + i + '</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(i)) + '" aria-label="Page ' + encodeHTML(i.toString()) + '" class="pager-button">' + encodeHTML(i.toString()) + '</a>';
}

pagerLinks += '<span class="margin-2, pager-button-current">Page ' + page + " of " + totalPages + "</span>";
pagerLinks += '<span class="margin-2, pager-button-current">Page ' + encodeHTML(page.toString()) + " of " + encodeHTML(totalPages.toString()) + "</span>";

@@ -119,3 +119,3 @@
for (var j = (1*page) + 1; j <= end; j++) {
pagerLinks += '<a href="' + getLinkToPage(j) + '" aria-label="Page ' + j + '" class="pager-button">' + j + '</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(j)) + '" aria-label="Page ' + encodeHTML(j.toString()) + '" class="pager-button">' + encodeHTML(j.toString()) + '</a>';
}
@@ -127,3 +127,3 @@
if( totalPages > 1 && page < totalPages){
pagerLinks += '<a href="' + getLinkToPage(totalPages) + '" aria-label="Last page" class="pager-button">Last</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(totalPages)) + '" aria-label="Last page" class="pager-button">Last</a>';
}
Copilot is powered by AI and may make mistakes. Always verify output.
search/index.html
//console.log("Total results are : " + totalResults);

document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
document.getElementById("search-keyword").innerHTML = urlParams.get("query");

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 5 months ago

To fix the issue, the user-provided input (urlParams.get("query")) must be sanitized or encoded before being inserted into the DOM. The best approach is to use a function that performs contextual output encoding to ensure that any special characters in the input are properly escaped. This prevents malicious scripts from being executed.

The fix involves:

  1. Introducing a utility function, encodeHTML, to encode special characters in the input.
  2. Replacing the direct use of urlParams.get("query") in innerHTML with the encoded version of the input.

Changes are required in the file search/index.html:

  • Add the encodeHTML function.
  • Update line 48 to use encodeHTML(urlParams.get("query")).
Suggested changeset 1
search/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/search/index.html b/search/index.html
--- a/search/index.html
+++ b/search/index.html
@@ -14,2 +14,9 @@
   
+  function encodeHTML(str) {
+    return str.replace(/&/g, "&amp;")
+              .replace(/</g, "&lt;")
+              .replace(/>/g, "&gt;")
+              .replace(/"/g, "&quot;")
+              .replace(/'/g, "&#39;");
+  }
   
@@ -47,3 +54,3 @@
       document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
-      document.getElementById("search-keyword").innerHTML = urlParams.get("query");
+      document.getElementById("search-keyword").innerHTML = encodeHTML(urlParams.get("query"));
       document.getElementById("results-count").innerHTML = totalResults;
EOF
@@ -14,2 +14,9 @@

function encodeHTML(str) {
return str.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#39;");
}

@@ -47,3 +54,3 @@
document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
document.getElementById("search-keyword").innerHTML = urlParams.get("query");
document.getElementById("search-keyword").innerHTML = encodeHTML(urlParams.get("query"));
document.getElementById("results-count").innerHTML = totalResults;
Copilot is powered by AI and may make mistakes. Always verify output.
search/index.html

pagerLinks += '<div class="usa-footer__contact-info grid-row grid-gap"><div class="grid-col-auto"><p class="margin-top-0">Powered by <strong>Search.gov</strong></p></div></div>';

pager.innerHTML = pagerLinks;

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 5 months ago

To fix the issue, we need to sanitize or encode any user-controlled input before inserting it into the DOM. Specifically:

  1. Use the encodeHTML function to sanitize the page variable and any other user-controlled data before appending it to pagerLinks.
  2. Ensure that all dynamic content added to pagerLinks is properly encoded to prevent XSS.

The changes will involve:

  • Applying encodeHTML to the page variable and other user-controlled data in the update_pager function.
  • Ensuring that all HTML content constructed in pagerLinks is safe.
Suggested changeset 1
search/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/search/index.html b/search/index.html
--- a/search/index.html
+++ b/search/index.html
@@ -115,6 +115,6 @@
 		for (var i = start; i < page; i++) {
-			pagerLinks += '<a href="' + getLinkToPage(i) + '" aria-label="Page ' + i + '" class="pager-button">' + i + '</a>';
+			pagerLinks += '<a href="' + encodeHTML(getLinkToPage(i)) + '" aria-label="Page ' + encodeHTML(i.toString()) + '" class="pager-button">' + encodeHTML(i.toString()) + '</a>';
 		}
 
-		pagerLinks += '<span class="margin-2, pager-button-current">Page ' + page + " of " + totalPages + "</span>";
+		pagerLinks += '<span class="margin-2, pager-button-current">Page ' + encodeHTML(page.toString()) + " of " + encodeHTML(totalPages.toString()) + "</span>";
         
@@ -122,3 +122,3 @@
 		for (var j = (1*page) + 1; j <= end; j++) {
-			pagerLinks += '<a href="' + getLinkToPage(j) + '" aria-label="Page ' + j + '" class="pager-button">' + j + '</a>';
+			pagerLinks += '<a href="' + encodeHTML(getLinkToPage(j)) + '" aria-label="Page ' + encodeHTML(j.toString()) + '" class="pager-button">' + encodeHTML(j.toString()) + '</a>';
 		}
@@ -130,3 +130,3 @@
         if( totalPages > 1 && page < totalPages){
-            pagerLinks += '<a href="' + getLinkToPage(totalPages) + '" aria-label="Last page" class="pager-button">Last</a>';
+            pagerLinks += '<a href="' + encodeHTML(getLinkToPage(totalPages)) + '" aria-label="Last page" class="pager-button">Last</a>';
         }		
EOF
@@ -115,6 +115,6 @@
for (var i = start; i < page; i++) {
pagerLinks += '<a href="' + getLinkToPage(i) + '" aria-label="Page ' + i + '" class="pager-button">' + i + '</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(i)) + '" aria-label="Page ' + encodeHTML(i.toString()) + '" class="pager-button">' + encodeHTML(i.toString()) + '</a>';
}

pagerLinks += '<span class="margin-2, pager-button-current">Page ' + page + " of " + totalPages + "</span>";
pagerLinks += '<span class="margin-2, pager-button-current">Page ' + encodeHTML(page.toString()) + " of " + encodeHTML(totalPages.toString()) + "</span>";

@@ -122,3 +122,3 @@
for (var j = (1*page) + 1; j <= end; j++) {
pagerLinks += '<a href="' + getLinkToPage(j) + '" aria-label="Page ' + j + '" class="pager-button">' + j + '</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(j)) + '" aria-label="Page ' + encodeHTML(j.toString()) + '" class="pager-button">' + encodeHTML(j.toString()) + '</a>';
}
@@ -130,3 +130,3 @@
if( totalPages > 1 && page < totalPages){
pagerLinks += '<a href="' + getLinkToPage(totalPages) + '" aria-label="Last page" class="pager-button">Last</a>';
pagerLinks += '<a href="' + encodeHTML(getLinkToPage(totalPages)) + '" aria-label="Last page" class="pager-button">Last</a>';
}
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PrashantKF PrashantKF Awaiting requested review from PrashantKF

At least 1 approving review is required to merge this pull request.

Assignees

@arnayv-47 arnayv-47

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@arnayv-47 @PrashantKF @kkmoghe-gsa