Merge pull request #447 from litvinovg/VIVO-3951

Sanitized search-related freemarker variables
vivo-project · Mar 21, 2024 · c4ff70e · c4ff70e
2 parents c5da68a + 4205948
commit c4ff70e
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 24 deletions.
diff --git a/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl b/webapp/src/main/webapp/templates/freemarker/body/search/search-pagedResults.ftl
@@ -31,15 +31,15 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
     <#if (pagingLinks?size > 0)>
         <div class="searchpages">
             ${i18n().pages}:
-            <#if prevPage??><a class="prev" href="${prevPage}" title="${i18n().previous}">${i18n().previous}</a></#if>
+            <#if prevPage??><a class="prev" href="${prevPage?html}" title="${i18n().previous}">${i18n().previous}</a></#if>
             <#list pagingLinks as link>
                 <#if link.url??>
-                    <a href="${link.url}" title="${i18n().page_link}">${link.text}</a>
+                    <a href="${link.url?html}" title="${i18n().page_link}">${link.text?html}</a>
                 <#else>
-                    <span>${link.text}</span> <#-- no link if current page -->
+                    <span>${link.text?html}</span> <#-- no link if current page -->
                 </#if>
             </#list>
-            <#if nextPage??><a class="next" href="${nextPage}" title="${i18n().next_capitalized}">${i18n().next_capitalized}</a></#if>
+            <#if nextPage??><a class="next" href="${nextPage?html}" title="${i18n().next_capitalized}">${i18n().next_capitalized}</a></#if>
         </div>
     </#if>
 </#macro>
@@ -52,12 +52,12 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 	<script type="text/javascript">
 		var url = window.location.toString();
 		if (url.indexOf("?") == -1){
-			var queryText = 'querytext=${querytext}';
+			var queryText = 'querytext=${querytext?js_string}';
 		} else {
 			var urlArray = url.split("?");
 			var queryText = urlArray[1];
 		}
-	
+
 		var urlsBase = '${urls.base}';
 		
 		$("input:radio").on("click",function (e) {
@@ -303,7 +303,7 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 	<#else>
 		<li class="form-group-tab nav-item">
 	</#if>
-			<a data-toggle="tab" class="nav-link" href="#${group.id}" id="${group.id}-tab" data-bs-toggle="tab" data-bs-target="#${group.id}" type="button" role="tab" aria-controls="${group.id}" aria-selected="false">${group.label}</a>
+			<a data-toggle="tab" class="nav-link" href="#${group.id?html}" id="${group.id?html}-tab" data-bs-toggle="tab" data-bs-target="#${group.id?html}" type="button" role="tab" aria-controls="${group.id?html}" aria-selected="false">${group.label?html}</a>
 		</li>
 </#macro>
 
@@ -313,12 +313,12 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 		<#return>
 	</#if>
 		<li class="filter-tab">
-			<a data-toggle="tab" class="nav-link" href="#${filter.id}" id="${filter.id}-tab" data-bs-toggle="tab" data-bs-target="#${filter.id}" type="button" role="tab" aria-controls="${filter.id}" aria-selected="false">${filter.name}</a>
+			<a data-toggle="tab" class="nav-link" href="#${filter.id?html}" id="${filter.id?html}-tab" data-bs-toggle="tab" data-bs-target="#${filter.id?html}" type="button" role="tab" aria-controls="${filter.id?html}" aria-selected="false">${filter.name?html}</a>
 		</li>
 </#macro>
 
 <#macro printFilterValues filter assignedActive isEmptySearch>
-		<div id="${filter.id}" class="tab-pane fade filter-area">
+		<div id="${filter.id?html}" class="tab-pane fade filter-area">
 			<#if filter.id == "querytext">
 			<#-- skip query text filter -->
 			<#elseif filter.type == "RangeFilter">
@@ -359,22 +359,22 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 	<#assign from = filter.fromYear >
 	<#assign to = filter.toYear >
 
-	<div class="range-filter" id="${filter.id}" class="tab-pane fade filter-area">
-		<div class="range-slider-container" min="${filter.min}" max="${filter.max}">
+	<div class="range-filter" id="${filter.id?html}" class="tab-pane fade filter-area">
+		<div class="range-slider-container" min="${filter.min?html}" max="${filter.max?html}">
 			<div class="range-slider"></div>
 			${i18n().from}
 			<#if from?has_content>
-				<div class="range-slider-start">${from}</div>
+				<div class="range-slider-start">${from?html}</div>
 			<#else>
-				<div class="range-slider-start">${min}</div>
+				<div class="range-slider-start">${min?html}</div>
 			</#if>
 			${i18n().to}
 			<#if to?has_content>
-				<div class="range-slider-end">${to}</div>
+				<div class="range-slider-end">${to?html}</div>
 			<#else>
-				<div class="range-slider-end">${max}</div>
+				<div class="range-slider-end">${max?html}</div>
 			</#if>
-			<input form="search-form" id="filter_range_${filter.id}" style="display:none;" class="range-slider-input" name="filter_range_${filter.id}" value="${filter.rangeInput}"/>
+			<input form="search-form" id="filter_range_${filter.id?html}" style="display:none;" class="range-slider-input" name="filter_range_${filter.id?html}" value="${filter.rangeInput?html}"/>
 		</div>
 	</div>
 </#macro>
@@ -385,7 +385,7 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 	<#if !filter.localizationRequired>
 		<#assign label = filter.name + " : " + value.id >
 	</#if>
-	<#return "<label for=\"" + getValueID(filter.id, valueNumber) + "\">" + getValueLabel(label, value.count) + "</label>" />
+	<#return "<label for=\"" + getValueID(filter.id, valueNumber)?html + "\">" + getValueLabel(label, value.count)?html + "</label>" />
 </#function>
 
 <#function getLabel valueID value filter additional=false >
@@ -397,24 +397,24 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 	<#if additional=true>
 		<#assign additionalClass = "additional-search-options hidden-search-option" >
 	</#if>
-	<#return "<label class=\"" + additionalClass + "\" for=\"" + getValueID(filter.id, valueNumber) + "\">" + getValueLabel(label, value.count) + "</label>" />
+	<#return "<label class=\"" + additionalClass + "\" for=\"" + getValueID(filter.id, valueNumber)?html + "\">" + getValueLabel(label, value.count)?html + "</label>" />
 </#function>
 
 
 <#macro userSelectedInput filter>
 	<#if filter.inputText?has_content>
-		<button form="search-form" type="button" id="button_filter_input_${filter.id}" onclick="clearInput('filter_input_${filter.id}')" class="checked-search-input-label">${filter.name} : ${filter.inputText}</button>
+		<button form="search-form" type="button" id="button_filter_input_${filter.id?html}" onclick="clearInput('filter_input_${filter.id?js_string?html}')" class="checked-search-input-label">${filter.name?html} : ${filter.inputText?html}</button>
 	</#if>
 	<#assign from = filter.fromYear >
 	<#assign to = filter.toYear >
 	<#if from?has_content && to?has_content >
 		<#assign range = i18n().from + " " + from + " " + i18n().to + " " + to >
-		<button form="search-form" type="button" id="button_filter_range_${filter.id}" onclick="clearInput('filter_range_${filter.id}')" class="checked-search-input-label">${filter.name} : ${range}</button>
+		<button form="search-form" type="button" id="button_filter_range_${filter.id?html}" onclick="clearInput('filter_range_${filter.id?js_string?html}')" class="checked-search-input-label">${filter.name?html} : ${range?html}</button>
 	</#if>
 </#macro>
 
 <#macro createUserInput filter>
-	<input form="search-form" id="filter_input_${filter.id}"  placeholder="${i18n().search_field_placeholder}" class="search-vivo" type="text" name="filter_input_${filter.id}" value="${filter.inputText}" autocapitalize="none" />
+	<input form="search-form" id="filter_input_${filter.id?html}"  placeholder="${i18n().search_field_placeholder}" class="search-vivo" type="text" name="filter_input_${filter.id?html}" value="${filter.inputText?html}" autocapitalize="none" />
 </#macro>
 
 <#function getInput filter filterValue valueID valueNumber>
@@ -433,7 +433,7 @@ ${headScripts.add('<script type="text/javascript" src="${urls.base}/bootstrap-5.
 		<#assign filterName = filterName + "_" + valueNumber >
 	</#if>
 
-	<#return "<input form=\"search-form\" type=\"" + type + "\" id=\"" + valueID?html + "\"  value=\"" + filter.id + ":" + filterValue.id 
+	<#return "<input form=\"search-form\" type=\"" + type + "\" id=\"" + valueID?html + "\"  value=\"" + filter.id?html + ":" + filterValue.id?html 
 		+ "\" name=\"filters_" + valueID?html + "\" style=\"display:none;\" " + checked + "\" class=\"" + class + "\" >" />
 </#function>
 

diff --git a/webapp/src/main/webapp/templates/freemarker/page/partials/search.ftl b/webapp/src/main/webapp/templates/freemarker/page/partials/search.ftl
@@ -3,7 +3,7 @@
 <div id="searchBlock">
     <form id="searchForm" action="${urls.search}" accept-charset="UTF-8" method="GET">
         <label for="search">${i18n().search_button}</label>
-        <input type="text" name="querytext" id="filter_input_querytext" class="search-form-item" value="${querytext!}" size="20" autocapitalize="off" />
+        <input type="text" name="querytext" id="filter_input_querytext" class="search-form-item" value="${querytext!?html}" size="20" autocapitalize="off" />
         <input class="search-form-submit" name="submit" type="submit"  value="${i18n().search_button}" />
     </form>
 </div> <!-- end searchBlock -->
diff --git a/webapp/src/main/webapp/themes/vitro/templates/search.ftl b/webapp/src/main/webapp/themes/vitro/templates/search.ftl
@@ -6,7 +6,7 @@
 
         <form id="search-form" action="${urls.search}" name="search" role="search" accept-charset="UTF-8" method="GET">
             <div id="search-field">
-                <input type="text" id="filter_input_querytext" name="querytext" class="search-vitro" value="${querytext!}" autocapitalize="off" />
+                <input type="text" id="filter_input_querytext" name="querytext" class="search-vitro" value="${querytext!?html}" autocapitalize="off" />
                 <input type="submit" value="${i18n().search_button}" class="search">
             </div>
         </form>