From 7d989d56e572606e6f4051eed6e8fd43b3d63ec5 Mon Sep 17 00:00:00 2001
From: r <r@freesoftwareextremist.com>
Date: Sat, 17 Oct 2020 16:25:08 +0000
Subject: Fix search query escaping

---
 renderer/renderer.go      |  2 --
 service/service.go        | 15 +++++++++------
 templates/search.tmpl     |  2 +-
 templates/usersearch.tmpl |  2 +-
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/renderer/renderer.go b/renderer/renderer.go
index a5619c2..f90e8dc 100644
--- a/renderer/renderer.go
+++ b/renderer/renderer.go
@@ -2,7 +2,6 @@ package renderer
 
 import (
 	"fmt"
-	htemplate "html/template"
 	"io"
 	"strconv"
 	"strings"
@@ -146,7 +145,6 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
 		"FormatTimeRFC3339":       formatTimeRFC3339,
 		"FormatTimeRFC822":        formatTimeRFC822,
 		"WithContext":             withContext,
-		"HTMLEscape":              htemplate.HTMLEscapeString,
 	}).ParseGlob(templateGlobPattern)
 	if err != nil {
 		return
diff --git a/service/service.go b/service/service.go
index c04557e..8db94f8 100644
--- a/service/service.go
+++ b/service/service.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"mime/multipart"
+	"html/template"
 	"net/url"
 	"strings"
 
@@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
 
 	if len(results.Statuses) == 20 {
 		offset += 20
-		nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset)
+		nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
 	}
 
+	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + q + "\""
+		title += " \"" + qq + "\""
 	}
 
 	commonData := svc.getCommonData(c, title)
 	data := &renderer.UserSearchData{
 		CommonData: commonData,
 		User:       user,
-		Q:          q,
+		Q:          qq,
 		Statuses:   results.Statuses,
 		NextLink:   nextLink,
 	}
@@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
 	if (qType == "accounts" && len(results.Accounts) == 20) ||
 		(qType == "statuses" && len(results.Statuses) == 20) {
 		offset += 20
-		nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset)
+		nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
 	}
 
+	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + q + "\""
+		title += " \"" + qq + "\""
 	}
 
 	commonData := svc.getCommonData(c, title)
 	data := &renderer.SearchData{
 		CommonData: commonData,
-		Q:          q,
+		Q:          qq,
 		Type:       qType,
 		Users:      results.Accounts,
 		Statuses:   results.Statuses,
diff --git a/templates/search.tmpl b/templates/search.tmpl
index 7273598..0473d4a 100644
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
 	<span class="post-form-field">
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
+		<input id="query" name="q" value="{{.Q}}">
 	</span>
 	<span class="post-form-field">
 		<label for="type"> Type </label>
diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl
index e4989bb..3f42f28 100644
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
+		<input id="query" name="q" value="{{.Q}}">
 	</span>
 	<button type="submit"> Search </button>
 </form>
-- 
cgit v1.2.3