diff options
| author | Omar Roth <omarroth@hotmail.com> | 2018-11-08 17:27:21 -0600 |
|---|---|---|
| committer | Omar Roth <omarroth@hotmail.com> | 2018-11-08 17:27:21 -0600 |
| commit | 28f564ee4c1b188c06d91d3e4ca0412dd121ad12 (patch) | |
| tree | 206e44964215b992a69e28e7cfb876380a248a71 | |
| parent | 1ea563f4f1d24fe35650f83c3f5c0af88e0fa093 (diff) | |
| download | invidious-28f564ee4c1b188c06d91d3e4ca0412dd121ad12.tar.gz invidious-28f564ee4c1b188c06d91d3e4ca0412dd121ad12.tar.bz2 invidious-28f564ee4c1b188c06d91d3e4ca0412dd121ad12.zip | |
Fix XSS in title and input bar
| -rw-r--r-- | src/invidious/views/search.ecr | 2 | ||||
| -rw-r--r-- | src/invidious/views/template.ecr | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/invidious/views/search.ecr b/src/invidious/views/search.ecr index f02afedd..7ab3d0c7 100644 --- a/src/invidious/views/search.ecr +++ b/src/invidious/views/search.ecr @@ -1,5 +1,5 @@ <% content_for "header" do %> -<title><%= search_query.not_nil!.size > 30 ? query.not_nil![0,30].rstrip(".") + "..." : query.not_nil! %> - Invidious</title> +<title><%= search_query.not_nil!.size > 30 ? HTML.escape(query.not_nil![0,30].rstrip(".") + "...") : HTML.escape(query.not_nil!) %> - Invidious</title> <% end %> <% videos.each_slice(4) do |slice| %> diff --git a/src/invidious/views/template.ecr b/src/invidious/views/template.ecr index bcf20c46..1e31fb4a 100644 --- a/src/invidious/views/template.ecr +++ b/src/invidious/views/template.ecr @@ -35,7 +35,7 @@ <div class="pure-u-1 pure-u-md-12-24 searchbar"> <form class="pure-form" action="/search" method="get"> <fieldset> - <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.params.query["q"]?.try {|x| HTML.escape(x)} || env.get?("search").try {|x| HTML.escape(x.as(String)) } %>"> + <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.get?("search").try {|x| HTML.escape(x.as(String)) } || env.params.query["q"]?.try {|x| HTML.escape(x)} %>"> </fieldset> </form> </div> |