Search JSON → client-side XSS (high priority)

[kallal79]

Short summary
A client-side search feature consumed a generated search.json and rendered results by injecting HTML strings. If search.json contains malicious content, a visitor using search could execute arbitrary JavaScript in the site origin. This is a high-impact vulnerability and should be fixed and CI‑checked immediately.

Fix applied (summary)

• search.json generation: fields serialized with Liquid jsonify to produce valid, safe JSON.
• src/js/simpleJekyllSearch.js: switched from string-based templating to DOM construction with textContent to avoid HTML parsing of untrusted values.
• src/js/target_blank.js: added rel="noopener noreferrer" for external links to prevent reverse tabnabbing.

Verification (quick commands)

• Manual PoC test: create malicious search.json and open poc-search-xss.html.
• Run the verification scripts added in scripts/:

# run these from repo root
node scripts/check_search_json.js
node scripts/check_target_blank_rel.js .

[kallal79]

Files changed (remediations applied):

• src/js/target_blank.js: added rel="noopener noreferrer" to external links to prevent reverse tabnabbing (already applied).
• search.json: replaced per-post output with jsonify serialized fields so values are JSON-safe and types are preserved.
• src/js/simpleJekyllSearch.js: replaced string-based HTML construction with safe DOM element creation using textContent for inserted strings.

Example check (node):

const fs = require('fs');
const search = JSON.parse(fs.readFileSync('search.json').toString().replace(/^```json\n|```\n$/g,''));
search.forEach(p => {
  if (typeof p.title !== 'string') throw new Error('title not string');
  if (p.title.match(/[<>]/)) console.warn('possible angle brackets in title');
});