Reflected XSS vulnerability OPAC org unit selector

Here is a branch in the security repo: user/sandbergja/lp2019157-reflected-xss-in-orgselect

Steps to test, from the commit message:

1. If you don't already have a library group, go to Admin > Server > Library Groups and make one that is Global.
2. In your browser, go to [your_domain]/eg/opac/home?locg='><script>alert('bad bad bad')</script>
3. Note that the site executes javascript code that is passed in via the URL.
4. Apply this patch
5. Repeat step 2.
6. Note that the arbitrary js does not get run anymore.
7. Confirm that library group searching still works as expected.

I am not able to reproduce the initial bug report in Chrome 125 nor in Firefox 126. Simply altering the URL does not open an alert popup. I allowed popups from my Evergreen site in the both browsers. I am using Linux on the desktop, so that may make a difference.

I do agree with the patch restricting locg to only numbers. I'll test it to see if that causes any issues.

While I still have not been able to get a popup to appear, I do get the following in the OPAC org unit selector on a test system with a lasso set up:

alert('bad'):lasso(2)' > Academics

This confirms that the locg value definitely needs scrubbing.

Jane's patch works for me and does not seem to interfere with search by lasso. I added a lasso for our academic members to a test system and that works as I expected.

I've pushed a signoff branch to security/user/dyrcona/lp2019157-reflected-xss-in-orgselect-signoff

Thanks, Jane!

I tested this as well. Additional signoff branch is security/user/gmcharlt/lp2019157_signoff in preparation for this week's security release.