Security: fix four vulnerabilities in autocomplete app

[Copilot]

The autocomplete app had four security issues: unauthenticated access to data-exposing endpoints, a reflected XSS via inline JS event handlers, an unhandled 500 on bad URL parameters, and an HTML attribute injection via unescaped component_prefix.

Changes

Critical – Block unauthenticated access by default (core.py)

auth_check previously used AUTOCOMPLETE_BLOCK_UNAUTHENTICATED defaulting to False, meaning all autocomplete endpoints (users, equipment, cost centres) were reachable without a session. Inverted to deny by default; opt-out via AUTOCOMPLETE_ALLOW_UNAUTHENTICATED = True.

High – XSS via component_id in inline event handler (textinput.html)

<!-- before -->
onblur="..., '{{ component_id }}', ..."
<!-- after -->
onblur="..., '{{ component_id|escapejs }}', ..."

Django's HTML auto-escaping converts ' → ', but the browser decodes entities before executing the event handler, allowing field_name=x'); alert(1); // to break out of the string. escapejs backslash-escapes JS special characters instead.

Medium – 500 on unknown ac_name → 404 (views.py)

ac_class raised an unhandled ValueError for unregistered names; changed to Http404.

Medium – component_prefix attribute injection (templatetags/autocomplete.py)

component_prefix was embedded in a single-quote-delimited hx-vals attribute without HTML escaping. A ' in the value terminates the attribute early, enabling e.g. onmouseover='...' injection. Applied escape() consistently with field_name.

Tests

Added apps/autocomplete/tests.py (12 tests) covering auth enforcement, 404 behaviour, hx-vals escaping, and XSS safety of the search_highlight filter.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.