[SECURITY] Fixes security issues #4526, #4523 und #4522 reported by C…

…odeQL (kitodo#1041)

Co-authored-by: Sebastian Meyer <[email protected]>

Resources/Public/JavaScript/PageView/ImageManipulationControl.js

@@ -45,7 +45,7 @@ dlfViewerImageManipulationControl = function(options) {
      * @type {Element}
      * @private
      */
-    this.toolContainerEl_ = dlfUtils.exists(options.toolContainer) ? options.toolContainer : $(this.dic['parentContainer'])[0];
+    this.toolContainerEl_ = dlfUtils.exists(options.toolContainer) ? options.toolContainer : $.find(this.dic['parentContainer'])[0];
 
     //
     // Append open/close behavior to toolbox

Resources/Public/JavaScript/PageView/PageView.js

@@ -447,8 +447,7 @@ dlfViewer.prototype.displayHighlightWord = function(highlightWords = null) {
 
     // exctract highlighWords from URL
     if (this.highlightWords === null) {
-        var urlParams = dlfUtils.getUrlParams();
-        this.highlightWords = urlParams['tx_dlf[highlight_word]'];
+        this.highlightWords = dlfUtils.getUrlParam('tx_dlf[highlight_word]');
     }
 
     if (!dlfUtils.exists(this.highlightLayer)) {

Resources/Public/JavaScript/PageView/SearchInDocument.js

@@ -133,12 +133,12 @@ function getCurrentQueryParams(baseUrl) {
 function getNavigationButtons(start, numFound) {
     var buttons = "";
 
-    if (start > 0) {
-        buttons += '<input type="button" id="tx-dlf-search-in-document-button-previous" class="button-previous" onclick="previousResultPage();" value="' + $('#tx-dlf-search-in-document-label-previous').text() + '" />';
+    if(start > 0) {
+        buttons += '<input type="button" id="tx-dlf-search-in-document-button-previous" class="button-previous" onclick="previousResultPage();" />';
     }
 
-    if (numFound > (start + 20)) {
-        buttons += '<input type="button" id="tx-dlf-search-in-document-button-next" class="button-next" onclick="nextResultPage();" value="' + $('#tx-dlf-search-in-document-label-next').text() + '" />';
+    if(numFound > (start + 20)) {
+        buttons += '<input type="button" id="tx-dlf-search-in-document-button-next" class="button-next" onclick="nextResultPage();" />';
     }
     return buttons;
 }
@@ -265,11 +265,14 @@ $(document).ready(function() {
 
                     addImageHighlight(data);
                 } else {
-                    resultList += '<li class="noresult">' + $('#tx-dlf-search-in-document-label-noresult').text() + '</li>';
+                    resultList += '<li class="noresult"></li>';
                 }
                 resultList += '</ul>';
                 resultList += getNavigationButtons(start, data['numFound']);
                 $('#tx-dlf-search-in-document-results').html(resultList);
+                $('.noresult').text($('#tx-dlf-search-in-document-label-noresult').text());
+                $('.button-previous').attr('value', $('#tx-dlf-search-in-document-label-previous').text());
+                $('.button-next').attr('value', $('#tx-dlf-search-in-document-label-next').text());
             },
             "json"
         )

Resources/Public/JavaScript/PageView/Utility.js

@@ -507,21 +507,14 @@ dlfUtils.getCookie = function (name) {
 
 /**
  * Returns url parameters
- * @returns {Object|undefined}
+ * @returns {string|null}
  */
-dlfUtils.getUrlParams = function () {
+dlfUtils.getUrlParam = function (param) {
     if (Object.prototype.hasOwnProperty.call(location, 'search')) {
-        var search = decodeURIComponent(location.search).slice(1).split('&'),
-            params = {};
-
-        search.forEach(function (item) {
-            var s = item.split('=');
-            params[s[0]] = s[1];
-        });
-
-        return params;
+        const urlParams = new URLSearchParams(location.search);
+        return urlParams.get(param);
     }
-    return undefined;
+    return null;
 };
 
 /**