New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix search-on-click #4691
Fix search-on-click #4691
Conversation
static/js/impala/site_suggestions.js
Outdated
// Update the .sel link. | ||
var searchUrl = settings['$form'].attr('action') + '?q={0}'; | ||
settings['$results'].find('.sel').attr('href', format(searchUrl, | ||
settings.searchTerm)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is being used in a URL it should be url encoded.
@numrut I think for this to work the value of the un-escaped search value needs to be run through encodeURIComponent and then HTML escaped afterwards. Otherwise the urlencoding is going to escape the See http://jsbin.com/cokacoh/edit?js,console,output which highlights the differences. See also the difference between submitting a search containing HTML on production versus running this current version of your patch. |
@numrut let me know if you need any pointers re: my last comment. |
@muffinresearch, okay, thanks! I'll try to figure it out myself at first. |
Found.
There are many possible solutions:
Which one should we choose? |
@numrut Thinking the nicest thing would be to add a |
@@ -130,12 +130,14 @@ $.fn.searchSuggestions = function($results, processCallback, searchType) { | |||
$results.filter('.visible').removeClass('visible'); | |||
return; | |||
} | |||
var urlVal = encodeURIComponent($self.val()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will also need HTML escaping too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "HTML escaping"?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you don't escape the HTML in the form value this would result in an XSS vulnerability [1].
In this case you need to encode for a URL and also escape any HTML in the string so that HTML can't be potentially be injected.
To do that you just need to run escape_()
on the URI-encode string. See also the previous comments and jsbin for an example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That function escapes &
, >
, <
, '
and "
. But almost all of those symbols are already processed by encodeURIComponent
. The only exception is '
.
Query string must be percent-encoded [1]. And encodeURIComponent
does it. escape_
makes another replace and breaks strings with '
in them. It adds ampersand, which is reserved symbol in query string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The '
doesn't cause a problem in the url and ends-up as %27
in the resulting href when inserted. Whilst it seems somewhat overkill I think escaping for the HTML context is still worth doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ' doesn't cause a problem in the url and ends-up as %27 in the resulting href when inserted
Seems, it happens on JS Bin only. Try escape_(encodeURIComponent("'foo'"))
in browser's console.
If we really need to escape everything, str.replace(/[^]/g, escape)
does the trick. But I think encodeURIComponent(str)
or encodeURIComponent(str).replace(/'/g, '%27')
is quite enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems, it happens on JS Bin only. Try escape_(encodeURIComponent("'foo'")) in browser's console.
It's not just the escaping and encoding you need to append the HTML into the DOM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at this a bit more, it's using attr for the href so escaping is implicit. I'm not sure why I was thinking this was using html()
but that's only used here: https://github.com/mozilla/addons-server/blob/master/static/js/impala/site_suggestions.js#L13 so this patch is fine as it is. Sorry for the noise!
@numrut thanks for your contribution! |
@muffinresearch, thank you too! It was a very good experience! |
Thanks so much, @numrut! Your contribution has been added to our recognition wiki. I'd also love to help you set up your profile on mozillians.org and vouch for your awesome work. :) If you could send me your email address (either here or to cneiman [at] mozilla [dot] com, I'll send you an invite. |
Hi, @caitmuenster! |
Awesome! Invite sent. :) |
Fixes mozilla/addons#317