aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorr <r@freesoftwareextremist.com>2020-10-17 16:25:08 +0000
committerr <r@freesoftwareextremist.com>2020-10-17 16:25:08 +0000
commit7d989d56e572606e6f4051eed6e8fd43b3d63ec5 (patch)
treee69f0dd2aea4477484ce55598d650aa6e76b3324
parent9c5cb289f9ec9cce597a0d9ee1284cf61c69ac66 (diff)
downloadbloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.tar.gz
bloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.zip
Fix search query escaping
-rw-r--r--renderer/renderer.go2
-rw-r--r--service/service.go15
-rw-r--r--templates/search.tmpl2
-rw-r--r--templates/usersearch.tmpl2
4 files changed, 11 insertions, 10 deletions
diff --git a/renderer/renderer.go b/renderer/renderer.go
index a5619c2..f90e8dc 100644
--- a/renderer/renderer.go
+++ b/renderer/renderer.go
@@ -2,7 +2,6 @@ package renderer
import (
"fmt"
- htemplate "html/template"
"io"
"strconv"
"strings"
@@ -146,7 +145,6 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
"FormatTimeRFC3339": formatTimeRFC3339,
"FormatTimeRFC822": formatTimeRFC822,
"WithContext": withContext,
- "HTMLEscape": htemplate.HTMLEscapeString,
}).ParseGlob(templateGlobPattern)
if err != nil {
return
diff --git a/service/service.go b/service/service.go
index c04557e..8db94f8 100644
--- a/service/service.go
+++ b/service/service.go
@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"mime/multipart"
+ "html/template"
"net/url"
"strings"
@@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
if len(results.Statuses) == 20 {
offset += 20
- nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset)
+ nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
}
+ qq := template.HTMLEscapeString(q)
if len(q) > 0 {
- title += " \"" + q + "\""
+ title += " \"" + qq + "\""
}
commonData := svc.getCommonData(c, title)
data := &renderer.UserSearchData{
CommonData: commonData,
User: user,
- Q: q,
+ Q: qq,
Statuses: results.Statuses,
NextLink: nextLink,
}
@@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
if (qType == "accounts" && len(results.Accounts) == 20) ||
(qType == "statuses" && len(results.Statuses) == 20) {
offset += 20
- nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset)
+ nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
}
+ qq := template.HTMLEscapeString(q)
if len(q) > 0 {
- title += " \"" + q + "\""
+ title += " \"" + qq + "\""
}
commonData := svc.getCommonData(c, title)
data := &renderer.SearchData{
CommonData: commonData,
- Q: q,
+ Q: qq,
Type: qType,
Users: results.Accounts,
Statuses: results.Statuses,
diff --git a/templates/search.tmpl b/templates/search.tmpl
index 7273598..0473d4a 100644
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@@ -5,7 +5,7 @@
<form class="search-form" action="/search" method="GET">
<span class="post-form-field">
<label for="query"> Query </label>
- <input id="query" name="q" value="{{.Q | HTMLEscape}}">
+ <input id="query" name="q" value="{{.Q}}">
</span>
<span class="post-form-field">
<label for="type"> Type </label>
diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl
index e4989bb..3f42f28 100644
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@@ -5,7 +5,7 @@
<form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
<span class="post-form-field>
<label for="query"> Query </label>
- <input id="query" name="q" value="{{.Q | HTMLEscape}}">
+ <input id="query" name="q" value="{{.Q}}">
</span>
<button type="submit"> Search </button>
</form>