From cb4e463525369623e0be48e6d7bbd2f6039f19a7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 21:41:52 +0000
Subject: [PATCH 1/2] Initial plan


From 5df4cd48f5e5df6c4ee59d096fc1abdf128e1076 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 21:50:48 +0000
Subject: [PATCH 2/2] Fix XSS issue #2870: improve test coverage for from/until
 params and fix is_unsafe_str

Co-authored-by: deniszh <1227222+deniszh@users.noreply.github.com>
---
 webapp/tests/base.py     |  4 ++--
 webapp/tests/test_xss.py | 13 +++++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/webapp/tests/base.py b/webapp/tests/base.py
index 844f28ead..ebd894354 100644
--- a/webapp/tests/base.py
+++ b/webapp/tests/base.py
@@ -4,9 +4,9 @@
 
 def is_unsafe_str(s):
     for symbol in '<>':
-        if s.find(symbol) > 0:
+        if s.find(symbol) >= 0:
             return True
-        return False
+    return False
 
 
 class TestCase(OriginalTestCase):
diff --git a/webapp/tests/test_xss.py b/webapp/tests/test_xss.py
index f5ee5d317..da9d17eed 100644
--- a/webapp/tests/test_xss.py
+++ b/webapp/tests/test_xss.py
@@ -29,7 +29,7 @@ def test_render_xss(self):
         xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
 
         # Check for issue #2779 and others
-        response = self.client.get(url, {'target': 'test', 'format': 'raw', 'cacheTimeout': xssStr, 'from': xssStr})
+        response = self.client.get(url, {'target': 'test', 'format': 'raw', 'cacheTimeout': xssStr, 'from': xssStr, 'until': xssStr})
         self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')
 
 
@@ -38,5 +38,14 @@ def test_render_xss(self):
         url = reverse('metrics_find')
         xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
 
-        response = self.client.get(url, {'query': 'test', 'local': xssStr, 'from': xssStr, 'tz': xssStr})
+        response = self.client.get(url, {'query': 'test', 'local': xssStr, 'from': xssStr, 'until': xssStr, 'tz': xssStr})
         self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')
+
+    def test_find_xss_script_tag(self):
+        """Test that <script> tags in from/until parameters are properly escaped (issue #2870)"""
+        url = reverse('metrics_find')
+        xssStr = "<script>alert('XSS')</script>"
+
+        for param in ('from', 'until'):
+            response = self.client.get(url, {'query': 'test', param: xssStr})
+            self.assertXSS(response, status_code=400, msg_prefix='XSS detected in %s: ' % param)