From 99f24eb59840cd479bc59c5fc19e48acd24106cb Mon Sep 17 00:00:00 2001 From: Veloman Yunkan Date: Mon, 12 Dec 2022 17:12:24 +0400 Subject: [PATCH] Safe href in suggestion links --- static/skin/viewer.js | 9 ++++++++- test/server.cpp | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/static/skin/viewer.js b/static/skin/viewer.js index b37c95ee6..10e8b48d9 100644 --- a/static/skin/viewer.js +++ b/static/skin/viewer.js @@ -342,7 +342,14 @@ function setupSuggestions() { } else { searchLink = `${root}/search?content=${encodeURIComponent(currentBook)}&pattern=${encodeURIComponent(htmlDecode(data.value.value))}`; } - item.innerHTML = `${htmlDecode(data.value.label)}`; + const jsAction = `gotoUrl('${searchLink}')`; + // Values of the href attribute are assumed by the browser to be + // fully URI-encoded (no matter what the scheme is). Therefore, in + // order to prevent the browser from decoding the URI-encoded parts + // of searchLink we have to URI-encode a second time. + // (see https://stackoverflow.com/questions/33721510) + const jsActionURIEncoded = encodeURIComponent(jsAction); + item.innerHTML = `${htmlDecode(data.value.label)}`; }, highlight: "autoComplete_highlight", selected: "autoComplete_selected" diff --git a/test/server.cpp b/test/server.cpp index 072233d45..d110707c5 100644 --- a/test/server.cpp +++ b/test/server.cpp @@ -69,7 +69,7 @@ const ResourceCollection resources200Compressible{ { DYNAMIC_CONTENT, "/ROOT/skin/taskbar.css" }, { STATIC_CONTENT, "/ROOT/skin/taskbar.css?cacheid=216d6b5d" }, { DYNAMIC_CONTENT, "/ROOT/skin/viewer.js" }, - { STATIC_CONTENT, "/ROOT/skin/viewer.js?cacheid=51e745c2" }, + { STATIC_CONTENT, "/ROOT/skin/viewer.js?cacheid=0933a233" }, { DYNAMIC_CONTENT, "/ROOT/skin/fonts/Poppins.ttf" }, { STATIC_CONTENT, "/ROOT/skin/fonts/Poppins.ttf?cacheid=af705837" }, { DYNAMIC_CONTENT, "/ROOT/skin/fonts/Roboto.ttf" }, @@ -291,7 +291,7 @@ R"EXPECTEDRESULT( - + const blankPageUrl = root + "/skin/blank.html?cacheid=6b1fa032";