From 11245aaf7f4faa7d0217a29af007e257a32c398e Mon Sep 17 00:00:00 2001 From: Michael Gnehr Date: Fri, 28 Jun 2019 18:22:45 +0200 Subject: [PATCH 1/4] - do not select if escape is pressed - allow prefixes by adding current request content to result list - remove html-tags before insert on page fix #7126 Signed-off-by: Michael Gnehr --- public/js/index.js | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/public/js/index.js b/public/js/index.js index 53fcaa8ba1eb6..0fd0c5d031a21 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2847,6 +2847,7 @@ function initTopicbar() { topicDropdown.dropdown({ allowAdditions: true, + forceSelection: false, fields: { name: "description", value: "data-value" }, saveRemoteData: false, label: { @@ -2864,18 +2865,34 @@ function initTopicbar() { throttle: 500, cache: false, onResponse: function(res) { - var formattedResponse = { + let formattedResponse = { success: false, results: [], }; + const escapeHtml = function (text) { + let esc = document.createElement('div'); + esc.innerHTML = text; + return esc.innerText; + }; + + let query = escapeHtml(this.urlData.query.trim()); + let found_query = false; if (res.topics) { formattedResponse.success = true; - for (var i=0;i < res.topics.length;i++) { - formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name}) + for (let i=0;i < res.topics.length;i++) { + if (res.topics[i].Name.toLowerCase() == query.toLowerCase()){ + found_query = true; + } + formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name}); } } + if (query.length > 0 && !found_query){ + formattedResponse.success = true; + formattedResponse.results.unshift({"description": query, "data-value": query}); + } + return formattedResponse; }, }, From a687e940f6417030d8a3dfbb1ceca47ebf8357a1 Mon Sep 17 00:00:00 2001 From: Michael Gnehr Date: Fri, 28 Jun 2019 19:15:01 +0200 Subject: [PATCH 2/4] sort current query to top Signed-off-by: Michael Gnehr --- public/js/index.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/public/js/index.js b/public/js/index.js index 0fd0c5d031a21..41a5ac8aed0e9 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2881,7 +2881,7 @@ function initTopicbar() { if (res.topics) { formattedResponse.success = true; for (let i=0;i < res.topics.length;i++) { - if (res.topics[i].Name.toLowerCase() == query.toLowerCase()){ + if (res.topics[i].Name.toLowerCase() === query.toLowerCase()){ found_query = true; } formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name}); @@ -2891,8 +2891,17 @@ function initTopicbar() { if (query.length > 0 && !found_query){ formattedResponse.success = true; formattedResponse.results.unshift({"description": query, "data-value": query}); + } else if (query.length > 0 && found_query) { + formattedResponse.results.sort(function(a, b){ + if (a.description.toLowerCase() === query.toLowerCase()) return -1; + if (b.description.toLowerCase() === query.toLowerCase()) return 1; + if (a.description > b.description) return -1; + if (a.description < b.description) return 1; + return 0; + }); } + return formattedResponse; }, }, From d68d410dfca81d3c50c606b4dbedf8c9cf95a7c9 Mon Sep 17 00:00:00 2001 From: Michael Gnehr Date: Fri, 28 Jun 2019 19:25:15 +0200 Subject: [PATCH 3/4] remove already added topics from dropdown list Signed-off-by: Michael Gnehr --- public/js/index.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/public/js/index.js b/public/js/index.js index 41a5ac8aed0e9..1423ee82162af 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2877,15 +2877,24 @@ function initTopicbar() { let query = escapeHtml(this.urlData.query.trim()); let found_query = false; + let current_topics = []; + topicDropdown.find('div.label.visible.topic,a.label.visible').each(function(_,e){ current_topics.push(e.dataset.value); }); if (res.topics) { - formattedResponse.success = true; + let found = false; for (let i=0;i < res.topics.length;i++) { + // skip currently added tags + if (current_topics.indexOf(res.topics[i].Name) != -1){ + continue; + } + if (res.topics[i].Name.toLowerCase() === query.toLowerCase()){ found_query = true; } formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name}); + found = true; } + formattedResponse.success = found; } if (query.length > 0 && !found_query){ From 7abce8fa206cfcf9c134f16610577aed6ace1945 Mon Sep 17 00:00:00 2001 From: Michael Gnehr Date: Sun, 30 Jun 2019 10:29:33 +0200 Subject: [PATCH 4/4] protoct against xss thanks to @silverwind Signed-off-by: Michael Gnehr --- public/js/index.js | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/public/js/index.js b/public/js/index.js index 1423ee82162af..b932ef95903a5 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2869,13 +2869,11 @@ function initTopicbar() { success: false, results: [], }; - const escapeHtml = function (text) { - let esc = document.createElement('div'); - esc.innerHTML = text; - return esc.innerText; + const stripTags = function (text) { + return text.replace(/<[^>]*>?/gm, ""); }; - let query = escapeHtml(this.urlData.query.trim()); + let query = stripTags(this.urlData.query.trim()); let found_query = false; let current_topics = []; topicDropdown.find('div.label.visible.topic,a.label.visible').each(function(_,e){ current_topics.push(e.dataset.value); });