Escape search queries

author: Omar Roth <omarroth@hotmail.com> 2018-09-27 17:02:59 -0500
committer: Omar Roth <omarroth@hotmail.com> 2018-09-27 17:02:59 -0500
commit: b0b5e3e982987cc860369c41950ebbdbc602b6b9 (patch)
tree: 602c9c22c9493267bb6773b970b6cdce7a23decb
parent: 4fb275ec6e55659f487eca244195a2f2cd7f27df (diff)
download: invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.tar.gz
invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.tar.bz2
invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/invidious/views/template.ecr b/src/invidious/views/template.ecr
index 1086b3d7..c90f8961 100644
--- a/src/invidious/views/template.ecr
+++ b/src/invidious/views/template.ecr
@@ -28,7 +28,7 @@
         <div class="pure-u-1 pure-u-md-12-24 searchbar">
           <form class="pure-form" action="/search" method="get">
             <fieldset>
-              <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.params.query["q"]? || env.get? "search" %>">
+              <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.params.query["q"]?.try {|x| HTML.escape(x)} || env.get?("search").try {|x| HTML.escape(x.as(String)) }  %>">
             </fieldset>
           </form>
         </div>
author	Omar Roth <omarroth@hotmail.com>	2018-09-27 17:02:59 -0500
committer	Omar Roth <omarroth@hotmail.com>	2018-09-27 17:02:59 -0500
commit	b0b5e3e982987cc860369c41950ebbdbc602b6b9 (patch)
tree	602c9c22c9493267bb6773b970b6cdce7a23decb
parent	4fb275ec6e55659f487eca244195a2f2cd7f27df (diff)
download	invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.tar.gz invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.tar.bz2 invidious-b0b5e3e982987cc860369c41950ebbdbc602b6b9.zip