From 7d989d56e572606e6f4051eed6e8fd43b3d63ec5 Mon Sep 17 00:00:00 2001
From: r <r@freesoftwareextremist.com>
Date: Sat, 17 Oct 2020 16:25:08 +0000
Subject: Fix search query escaping

---
 service/service.go | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'service')

diff --git a/service/service.go b/service/service.go
index c04557e..8db94f8 100644
--- a/service/service.go
+++ b/service/service.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"mime/multipart"
+	"html/template"
 	"net/url"
 	"strings"
 
@@ -589,18 +590,19 @@ func (svc *service) ServeUserSearchPage(c *model.Client,
 
 	if len(results.Statuses) == 20 {
 		offset += 20
-		nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, q, offset)
+		nextLink = fmt.Sprintf("/usersearch/%s?q=%s&offset=%d", id, url.QueryEscape(q), offset)
 	}
 
+	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + q + "\""
+		title += " \"" + qq + "\""
 	}
 
 	commonData := svc.getCommonData(c, title)
 	data := &renderer.UserSearchData{
 		CommonData: commonData,
 		User:       user,
-		Q:          q,
+		Q:          qq,
 		Statuses:   results.Statuses,
 		NextLink:   nextLink,
 	}
@@ -649,17 +651,18 @@ func (svc *service) ServeSearchPage(c *model.Client,
 	if (qType == "accounts" && len(results.Accounts) == 20) ||
 		(qType == "statuses" && len(results.Statuses) == 20) {
 		offset += 20
-		nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", q, qType, offset)
+		nextLink = fmt.Sprintf("/search?q=%s&type=%s&offset=%d", url.QueryEscape(q), qType, offset)
 	}
 
+	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + q + "\""
+		title += " \"" + qq + "\""
 	}
 
 	commonData := svc.getCommonData(c, title)
 	data := &renderer.SearchData{
 		CommonData: commonData,
-		Q:          q,
+		Q:          qq,
 		Type:       qType,
 		Users:      results.Accounts,
 		Statuses:   results.Statuses,
-- 
cgit v1.2.3