Skip to content

Commit 7a32167

Browse files
voronkovichvoronkovich
committed
Add an html escaping instead of a striping html tags
1 parent 939c2e6 commit 7a32167

File tree

3 files changed

+14
-50
lines changed

3 files changed

+14
-50
lines changed

app/Resources/assets/js/jquery.instantSearch.js

Lines changed: 12 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,6 @@
2020
};
2121

2222
var defaultConfig = {
23-
allowedTags: '',
2423
minQueryLength: 2,
2524
maxPreviewItems: 10,
2625
previewDelay: 500,
@@ -38,35 +37,11 @@
3837
};
3938
}
4039

41-
function isValidUrl(url) {
42-
var parser = document.createElement('a');
43-
try {
44-
parser.href = url;
45-
return !!parser.hostname;
46-
} catch (e) {
47-
return false;
48-
}
49-
}
50-
51-
// See http://phpjs.org/functions/strip_tags/
52-
function stripTags(input, allowed) {
53-
allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('');
54-
55-
var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi;
56-
var commentsAndPhpTags = /<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi;
57-
58-
return input.replace(commentsAndPhpTags, '').replace(tags, function($0, $1) {
59-
return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : '';
60-
});
61-
}
62-
6340
var initInstantSearch = function(el, config) {
6441
var $input = $(el);
6542
var $form = $input.closest('form');
6643
var $preview = $('<ul class="search-preview list-group"></ul>').appendTo($form);
6744

68-
config.noItemsFoundMessage = stripTags(config.noItemsFoundMessage);
69-
7045
var setPreviewItems = function(items) {
7146
$preview.empty();
7247

@@ -80,44 +55,36 @@
8055
}
8156

8257
var addItemToPreview = function(item) {
83-
$preview.append('<li class="list-group-item"><a href="' + item.url + '">' + item.result + '</a></li>');
58+
var $link = $('<a>').attr('href', item.url).text(item.result);
59+
var $li = $('<li class="list-group-item">').append($link);
60+
61+
$preview.append($li);
8462
}
8563

8664
var noItemsFound = function() {
65+
var $li = $('<li class="list-group-item">').text(config.noItemsFoundMessage);
66+
8767
$preview.empty();
88-
$preview.append('<li class="list-group-item">' + config.noItemsFoundMessage + '</li>');
68+
$preview.append($li);
8969
}
9070

9171
var updatePreview = function() {
92-
if ($input.val().length < config.minQueryLength) {
72+
var query = $.trim($input.val()).replace(/\s{2,}/g, ' ');
73+
if (query.length < config.minQueryLength) {
9374
$preview.empty();
9475
return;
9576
}
9677

9778
$.getJSON($form.attr('action') + '?' + $form.serialize(), function(items) {
98-
// Sanitize items
99-
var sanitizedItems = [];
100-
$.each(items, function(index, item) {
101-
// Url can contains a 'javascript:' code
102-
if (isValidUrl(item.url)) {
103-
sanitizedItems.push({
104-
url: item.url,
105-
result: stripTags(item.result, config.allowedTags)
106-
});
107-
}
108-
});
109-
110-
if (sanitizedItems.length === 0) {
79+
if (items.length === 0) {
11180
noItemsFound();
11281
return;
11382
}
11483

115-
setPreviewItems(sanitizedItems);
84+
setPreviewItems(items);
11685
});
11786
}
11887

119-
var debouncedUpdatePreview = debounce(updatePreview, config.previewDelay);
120-
12188
$input.focusout(function(e) {
12289
$preview.fadeOut();
12390
});
@@ -127,8 +94,6 @@
12794
updatePreview();
12895
});
12996

130-
$input.keyup(function(e) {
131-
debouncedUpdatePreview();
132-
});
97+
$input.keyup(debounce(updatePreview, config.previewDelay));
13398
}
13499
})(window.jQuery);

src/AppBundle/Controller/BlogController.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -155,8 +155,7 @@ public function searchAction(Request $request)
155155

156156
foreach ($posts as $post) {
157157
array_push($results, array(
158-
// We should never trust to admin user
159-
'result' => strip_tags($post->getTitle()),
158+
'result' => htmlspecialchars($post->getTitle()),
160159
'url' => $this->generateUrl('blog_post', array('slug' => $post->getSlug())),
161160
));
162161
}

0 commit comments

Comments
 (0)