aboutsummaryrefslogtreecommitdiff
path: root/service
diff options
context:
space:
mode:
authorr <r@freesoftwareextremist.com>2020-10-17 16:25:08 +0000
committerr <r@freesoftwareextremist.com>2020-10-17 16:25:08 +0000
commit7d989d56e572606e6f4051eed6e8fd43b3d63ec5 (patch)
treee69f0dd2aea4477484ce55598d650aa6e76b3324 /service
parent9c5cb289f9ec9cce597a0d9ee1284cf61c69ac66 (diff)
downloadbloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.tar.gz
bloat-7d989d56e572606e6f4051eed6e8fd43b3d63ec5.zip
Fix search query escaping
Diffstat (limited to 'service')
-rw-r--r--service/service.go15
1 files changed, 9 insertions, 6 deletions
diff --git a/service/service.go b/service/service.go
index c04557e..8db94f8 100644
--- a/service/service.go
+++ b/service/service.go
@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"mime/multipart"
+ "html/template"
"net/url"
"strings"
@@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
if len(results.Statuses) == 20 {
offset += 20
- nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset)
+ nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
}
+ qq := template.HTMLEscapeString(q)
if len(q) > 0 {
- title += " \"" + q + "\""
+ title += " \"" + qq + "\""
}
commonData := svc.getCommonData(c, title)
data := &renderer.UserSearchData{
CommonData: commonData,
User: user,
- Q: q,
+ Q: qq,
Statuses: results.Statuses,
NextLink: nextLink,
}
@@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
if (qType == "accounts" && len(results.Accounts) == 20) ||
(qType == "statuses" && len(results.Statuses) == 20) {
offset += 20
- nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset)
+ nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
}
+ qq := template.HTMLEscapeString(q)
if len(q) > 0 {
- title += " \"" + q + "\""
+ title += " \"" + qq + "\""
}
commonData := svc.getCommonData(c, title)
data := &renderer.SearchData{
CommonData: commonData,
- Q: q,
+ Q: qq,
Type: qType,
Users: results.Accounts,
Statuses: results.Statuses,