search

fssnippets / fssnip-website

Source code for the F# Snippets web site
http://fssnip.net
103 stars 36 forks source link

HTML Encode search query #39

Closed MarcinJuraszek closed 8 years ago

MarcinJuraszek commented 8 years ago

HTML encode search query to prevent script injection. Resolves https://github.com/tpetricek/FsSnip.Website/issues/36

tpetricek commented 8 years ago

Thanks!

I wonder if it would make sense to do the formatting in the DotLiquid template? I think that would be a bit nicer!

When you add some function to filters like niceDate here, it becomes available as a DotLiquid filter and can be used by writing {{ something | nice_date }} like here.

So I think you could change this bit of code to use {{ model.Query | html_encode }}.

tpetricek commented 8 years ago

(DotLiquid apparently_likes_underscores_for_some_reason :-) )

MarcinJuraszek commented 8 years ago

Did not know that. It's way more readable!

patrick-mackay commented 8 years ago

Hi, there is a built in function escape that does the same.

{{ model.Query | escape }}

MarcinJuraszek commented 8 years ago

That's even better. Thanks @patrick-mackay!

tpetricek commented 8 years ago

Nice, that was even easier than I thought :-)