Fix search query escaping
authorr <r@freesoftwareextremist.com>
Sat, 17 Oct 2020 16:25:08 +0000 (16:25 +0000)
committerr <r@freesoftwareextremist.com>
Sat, 17 Oct 2020 16:25:08 +0000 (16:25 +0000)
renderer/renderer.go
service/service.go
templates/search.tmpl
templates/usersearch.tmpl

index a5619c2b87f3202ca896fd4256e08278fcaf0621..f90e8dcfee47a7bd46e7a4c4976fe6200f9fb316 100644 (file)
@@ -2,7 +2,6 @@ package renderer
 
 import (
        "fmt"
-       htemplate "html/template"
        "io"
        "strconv"
        "strings"
@@ -146,7 +145,6 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
                "FormatTimeRFC3339":       formatTimeRFC3339,
                "FormatTimeRFC822":        formatTimeRFC822,
                "WithContext":             withContext,
-               "HTMLEscape":              htemplate.HTMLEscapeString,
        }).ParseGlob(templateGlobPattern)
        if err != nil {
                return
index c04557ea6f72fa9dc26b808be710e79f4ab51cb0..8db94f84b096c79a89cc56a5d26516d11bbcf603 100644 (file)
@@ -5,6 +5,7 @@ import (
        "errors"
        "fmt"
        "mime/multipart"
+       "html/template"
        "net/url"
        "strings"
 
@@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
 
        if len(results.Statuses) == 20 {
                offset += 20
-               nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset)
+               nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
        }
 
+       qq := template.HTMLEscapeString(q)
        if len(q) > 0 {
-               title += " \"" + q + "\""
+               title += " \"" + qq + "\""
        }
 
        commonData := svc.getCommonData(c, title)
        data := &renderer.UserSearchData{
                CommonData: commonData,
                User:       user,
-               Q:          q,
+               Q:          qq,
                Statuses:   results.Statuses,
                NextLink:   nextLink,
        }
@@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
        if (qType == "accounts" && len(results.Accounts) == 20) ||
                (qType == "statuses" && len(results.Statuses) == 20) {
                offset += 20
-               nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset)
+               nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
        }
 
+       qq := template.HTMLEscapeString(q)
        if len(q) > 0 {
-               title += " \"" + q + "\""
+               title += " \"" + qq + "\""
        }
 
        commonData := svc.getCommonData(c, title)
        data := &renderer.SearchData{
                CommonData: commonData,
-               Q:          q,
+               Q:          qq,
                Type:       qType,
                Users:      results.Accounts,
                Statuses:   results.Statuses,
index 72735985721d6d68fc0f3c6bafb114fd684e80cb..0473d4a47663eb0c8a1b49a88a879ada7f7a3ad1 100644 (file)
@@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
        <span class="post-form-field">
                <label for="query"> Query </label>
-               <input id="query" name="q" value="{{.Q | HTMLEscape}}">
+               <input id="query" name="q" value="{{.Q}}">
        </span>
        <span class="post-form-field">
                <label for="type"> Type </label>
index e4989bb86772a5015ea7c3aeae23e4409bb68a37..3f42f28828fbfa26d0889a9d35836b6d9b39a0d5 100644 (file)
@@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
        <span class="post-form-field>
                <label for="query"> Query </label>
-               <input id="query" name="q" value="{{.Q | HTMLEscape}}">
+               <input id="query" name="q" value="{{.Q}}">
        </span>
        <button type="submit"> Search </button>
 </form>