Fix search query escaping

This commit is contained in:
r 2020-10-17 16:25:08 +00:00
parent 9c5cb289f9
commit 7d989d56e5
4 changed files with 11 additions and 10 deletions

View File

@ -2,7 +2,6 @@ package renderer
import ( import (
"fmt" "fmt"
htemplate "html/template"
"io" "io"
"strconv" "strconv"
"strings" "strings"
@ -146,7 +145,6 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
"FormatTimeRFC3339": formatTimeRFC3339, "FormatTimeRFC3339": formatTimeRFC3339,
"FormatTimeRFC822": formatTimeRFC822, "FormatTimeRFC822": formatTimeRFC822,
"WithContext": withContext, "WithContext": withContext,
"HTMLEscape": htemplate.HTMLEscapeString,
}).ParseGlob(templateGlobPattern) }).ParseGlob(templateGlobPattern)
if err != nil { if err != nil {
return return

View File

@ -5,6 +5,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"mime/multipart" "mime/multipart"
"html/template"
"net/url" "net/url"
"strings" "strings"
@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
if len(results.Statuses) == 20 { if len(results.Statuses) == 20 {
offset += 20 offset += 20
nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset) nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
} }
qq := template.HTMLEscapeString(q)
if len(q) > 0 { if len(q) > 0 {
title += " \"" + q + "\"" title += " \"" + qq + "\""
} }
commonData := svc.getCommonData(c, title) commonData := svc.getCommonData(c, title)
data := &renderer.UserSearchData{ data := &renderer.UserSearchData{
CommonData: commonData, CommonData: commonData,
User: user, User: user,
Q: q, Q: qq,
Statuses: results.Statuses, Statuses: results.Statuses,
NextLink: nextLink, NextLink: nextLink,
} }
@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
if (qType == "accounts" && len(results.Accounts) == 20) || if (qType == "accounts" && len(results.Accounts) == 20) ||
(qType == "statuses" && len(results.Statuses) == 20) { (qType == "statuses" && len(results.Statuses) == 20) {
offset += 20 offset += 20
nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset) nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
} }
qq := template.HTMLEscapeString(q)
if len(q) > 0 { if len(q) > 0 {
title += " \"" + q + "\"" title += " \"" + qq + "\""
} }
commonData := svc.getCommonData(c, title) commonData := svc.getCommonData(c, title)
data := &renderer.SearchData{ data := &renderer.SearchData{
CommonData: commonData, CommonData: commonData,
Q: q, Q: qq,
Type: qType, Type: qType,
Users: results.Accounts, Users: results.Accounts,
Statuses: results.Statuses, Statuses: results.Statuses,

View File

@ -5,7 +5,7 @@
<form class="search-form" action="/search" method="GET"> <form class="search-form" action="/search" method="GET">
<span class="post-form-field"> <span class="post-form-field">
<label for="query"> Query </label> <label for="query"> Query </label>
<input id="query" name="q" value="{{.Q | HTMLEscape}}"> <input id="query" name="q" value="{{.Q}}">
</span> </span>
<span class="post-form-field"> <span class="post-form-field">
<label for="type"> Type </label> <label for="type"> Type </label>

View File

@ -5,7 +5,7 @@
<form class="search-form" action="/usersearch/{{.User.ID}}" method="GET"> <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
<span class="post-form-field> <span class="post-form-field>
<label for="query"> Query </label> <label for="query"> Query </label>
<input id="query" name="q" value="{{.Q | HTMLEscape}}"> <input id="query" name="q" value="{{.Q}}">
</span> </span>
<button type="submit"> Search </button> <button type="submit"> Search </button>
</form> </form>