diff options
author | r <r@freesoftwareextremist.com> | 2020-10-17 16:25:08 +0000 |
---|---|---|
committer | r <r@freesoftwareextremist.com> | 2020-10-17 16:25:08 +0000 |
commit | 7d989d56e572606e6f4051eed6e8fd43b3d63ec5 (patch) | |
tree | e69f0dd2aea4477484ce55598d650aa6e76b3324 /service | |
parent | 9c5cb289f9ec9cce597a0d9ee1284cf61c69ac66 (diff) | |
download | bloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.tar.gz bloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.zip |
Fix search query escaping
Diffstat (limited to 'service')
-rw-r--r-- | service/service.go | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/service/service.go b/service/service.go index c04557e..8db94f8 100644 --- a/service/service.go +++ b/service/service.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "mime/multipart" + "html/template" "net/url" "strings" @@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client, if len(results.Statuses) == 20 { offset += 20 - nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset) + nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset) } + qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + q + "\"" + title += " \"" + qq + "\"" } commonData := svc.getCommonData(c, title) data := &renderer.UserSearchData{ CommonData: commonData, User: user, - Q: q, + Q: qq, Statuses: results.Statuses, NextLink: nextLink, } @@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client, if (qType == "accounts" && len(results.Accounts) == 20) || (qType == "statuses" && len(results.Statuses) == 20) { offset += 20 - nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset) + nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset) } + qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + q + "\"" + title += " \"" + qq + "\"" } commonData := svc.getCommonData(c, title) data := &renderer.SearchData{ CommonData: commonData, - Q: q, + Q: qq, Type: qType, Users: results.Accounts, Statuses: results.Statuses, |