Fix search-on-click #4691
Fix search-on-click #4691
Conversation
static/js/impala/site_suggestions.js
Outdated
| // Update the .sel link. | ||
| var searchUrl = settings['$form'].attr('action') + '?q={0}'; | ||
| settings['$results'].find('.sel').attr('href', format(searchUrl, | ||
| settings.searchTerm)); |
There was a problem hiding this comment.
Since this is being used in a URL it should be url encoded.
|
@numrut I think for this to work the value of the un-escaped search value needs to be run through encodeURIComponent and then HTML escaped afterwards. Otherwise the urlencoding is going to escape the See http://jsbin.com/cokacoh/edit?js,console,output which highlights the differences. See also the difference between submitting a search containing HTML on production versus running this current version of your patch. |
|
@numrut let me know if you need any pointers re: my last comment. |
|
@muffinresearch, okay, thanks! I'll try to figure it out myself at first. |
|
Found.
There are many possible solutions:
Which one should we choose? |
|
@numrut Thinking the nicest thing would be to add a |
| @@ -130,12 +130,14 @@ $.fn.searchSuggestions = function($results, processCallback, searchType) { | |||
| $results.filter('.visible').removeClass('visible'); | |||
| return; | |||
| } | |||
| var urlVal = encodeURIComponent($self.val()); | |||
There was a problem hiding this comment.
This will also need HTML escaping too.
There was a problem hiding this comment.
What is "HTML escaping"?)
There was a problem hiding this comment.
If you don't escape the HTML in the form value this would result in an XSS vulnerability [1].
In this case you need to encode for a URL and also escape any HTML in the string so that HTML can't be potentially be injected.
To do that you just need to run escape_() on the URI-encode string. See also the previous comments and jsbin for an example.
There was a problem hiding this comment.
That function escapes &, >, <, ' and ". But almost all of those symbols are already processed by encodeURIComponent. The only exception is '.
Query string must be percent-encoded [1]. And encodeURIComponent does it. escape_ makes another replace and breaks strings with ' in them. It adds ampersand, which is reserved symbol in query string.
There was a problem hiding this comment.
The ' doesn't cause a problem in the url and ends-up as %27 in the resulting href when inserted. Whilst it seems somewhat overkill I think escaping for the HTML context is still worth doing.
There was a problem hiding this comment.
The ' doesn't cause a problem in the url and ends-up as %27 in the resulting href when inserted
Seems, it happens on JS Bin only. Try escape_(encodeURIComponent("'foo'")) in browser's console.
If we really need to escape everything, str.replace(/[^]/g, escape) does the trick. But I think encodeURIComponent(str) or encodeURIComponent(str).replace(/'/g, '%27') is quite enough.
There was a problem hiding this comment.
Seems, it happens on JS Bin only. Try escape_(encodeURIComponent("'foo'")) in browser's console.
It's not just the escaping and encoding you need to append the HTML into the DOM.
There was a problem hiding this comment.
Looking at this a bit more, it's using attr for the href so escaping is implicit. I'm not sure why I was thinking this was using html() but that's only used here: https://github.com/mozilla/addons-server/blob/master/static/js/impala/site_suggestions.js#L13 so this patch is fine as it is. Sorry for the noise!
|
@numrut thanks for your contribution! |
|
@muffinresearch, thank you too! It was a very good experience! |
|
Thanks so much, @numrut! Your contribution has been added to our recognition wiki. I'd also love to help you set up your profile on mozillians.org and vouch for your awesome work. :) If you could send me your email address (either here or to cneiman [at] mozilla [dot] com, I'll send you an invite. |
|
Hi, @caitmuenster! |
|
Awesome! Invite sent. :) |
Fixes mozilla/addons#317