core: fix special caracter in user and forum search

2025-10-31 09:03:06 +00:00 · 2019-05-09 19:51:55 +02:00
parent bf06aea680
commit 355a51d2ce
2 changed files with 13 additions and 8 deletions
--- a/core/views/site.py
+++ b/core/views/site.py
@@ -26,6 +26,7 @@ from django.shortcuts import render, redirect
 from django.http import JsonResponse
 from django.core import serializers
 from django.contrib.auth.decorators import login_required
+from django.utils import html
 from django.views.generic import ListView, TemplateView
 from django.conf import settings

@@ -71,10 +72,11 @@ def notification(request, notif_id):


 def search_user(query, as_json=False):
-    if query == "" or query.isspace():
+    try:
+        res = SearchQuerySet().models(User).autocomplete(auto=html.escape(query))[:20]
+        return [r.object for r in res]
+    except TypeError:
        return []
-    res = SearchQuerySet().models(User).autocomplete(auto=query)[:20]
-    return [r.object for r in res]


 def search_club(query, as_json=False):
--- a/forum/views.py
+++ b/forum/views.py
@@ -29,7 +29,7 @@ from django.views.generic.edit import UpdateView, CreateView, DeleteView
 from django.views.generic.detail import SingleObjectMixin
 from django.utils.translation import ugettext_lazy as _
 from django.core.urlresolvers import reverse_lazy
-from django.utils import timezone
+from django.utils import timezone, html
 from django.conf import settings
 from django import forms
 from django.core.exceptions import PermissionDenied
@@ -56,11 +56,15 @@ class ForumSearchView(ListView):
        query = self.request.GET.get("query", "")
        order_by = self.request.GET.get("order", "")

-        if query == "" or query.isspace():
+        try:
+            queryset = (
+                RelatedSearchQuerySet()
+                .models(ForumMessage)
+                .autocomplete(auto=html.escape(query))
+            )
+        except TypeError:
            return []

-        queryset = RelatedSearchQuerySet().models(ForumMessage).autocomplete(auto=query)
-
        if order_by == "date":
            queryset = queryset.order_by("-date")

@@ -85,7 +89,6 @@ class ForumSearchView(ListView):
            ):
                resp.append(r.object)
                count += 1
-
        return resp