From 7d989d56e572606e6f4051eed6e8fd43b3d63ec5 Mon Sep 17 00:00:00 2001 From: r Date: Sat, 17 Oct 2020 16:25:08 +0000 Subject: Fix search query escaping --- renderer/renderer.go | 2 -- service/service.go | 15 +++++++++------ templates/search.tmpl | 2 +- templates/usersearch.tmpl | 2 +- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/renderer/renderer.go b/renderer/renderer.go index a5619c2..f90e8dc 100644 --- a/renderer/renderer.go +++ b/renderer/renderer.go @@ -2,7 +2,6 @@ package renderer import ( "fmt" - htemplate "html/template" "io" "strconv" "strings" @@ -146,7 +145,6 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) { "FormatTimeRFC3339": formatTimeRFC3339, "FormatTimeRFC822": formatTimeRFC822, "WithContext": withContext, - "HTMLEscape": htemplate.HTMLEscapeString, }).ParseGlob(templateGlobPattern) if err != nil { return diff --git a/service/service.go b/service/service.go index c04557e..8db94f8 100644 --- a/service/service.go +++ b/service/service.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "mime/multipart" + "html/template" "net/url" "strings" @@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client, if len(results.Statuses) == 20 { offset += 20 - nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset) + nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset) } + qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + q + "\"" + title += " \"" + qq + "\"" } commonData := svc.getCommonData(c, title) data := &renderer.UserSearchData{ CommonData: commonData, User: user, - Q: q, + Q: qq, Statuses: results.Statuses, NextLink: nextLink, } @@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client, if (qType == "accounts" && len(results.Accounts) == 20) || (qType == "statuses" && len(results.Statuses) == 20) { offset += 20 - nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset) + nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset) } + qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + q + "\"" + title += " \"" + qq + "\"" } commonData := svc.getCommonData(c, title) data := &renderer.SearchData{ CommonData: commonData, - Q: q, + Q: qq, Type: qType, Users: results.Accounts, Statuses: results.Statuses, diff --git a/templates/search.tmpl b/templates/search.tmpl index 7273598..0473d4a 100644 --- a/templates/search.tmpl +++ b/templates/search.tmpl @@ -5,7 +5,7 @@
- + diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl index e4989bb..3f42f28 100644 --- a/templates/usersearch.tmpl +++ b/templates/usersearch.tmpl @@ -5,7 +5,7 @@ Query - + -- cgit v1.2.3