From afa6c0a9a423ce995750fd25b1720f96a89e81bd Mon Sep 17 00:00:00 2001
From: Isaac Janzen <50783505+janzenisaac@users.noreply.github.com>
Date: Fri, 16 Jun 2023 15:56:41 -0500
Subject: [PATCH] DEV: Escape html and emojis in search menu topic result type
titles (#22166)
# Before
# After
---
.../search-menu/highlighted-search.hbs | 2 +-
.../search-menu/highlighted-search.js | 1 -
.../tests/acceptance/glimmer-search-test.js | 28 +++++++++++++++++++
.../tests/fixtures/search-fixtures.js | 6 ++--
4 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.hbs b/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.hbs
index af66c0f837a..28bf444b69d 100644
--- a/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.hbs
+++ b/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.hbs
@@ -1 +1 @@
-{{this.content}}
\ No newline at end of file
+{{html-safe @string}}
\ No newline at end of file
diff --git a/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.js b/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.js
index 7f892b47ef5..dd0fba9e501 100644
--- a/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.js
+++ b/app/assets/javascripts/discourse/app/components/search-menu/highlighted-search.js
@@ -9,7 +9,6 @@ export default class HighlightedSearch extends Component {
super(...arguments);
const span = document.createElement("span");
span.textContent = this.args.string;
- this.content = span;
highlightSearch(span, this.search.activeGlobalSearchTerm);
}
diff --git a/app/assets/javascripts/discourse/tests/acceptance/glimmer-search-test.js b/app/assets/javascripts/discourse/tests/acceptance/glimmer-search-test.js
index f24cdff9a6e..553a43da439 100644
--- a/app/assets/javascripts/discourse/tests/acceptance/glimmer-search-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/glimmer-search-test.js
@@ -134,6 +134,34 @@ acceptance("Search - Glimmer - Anonymous", function (needs) {
);
});
+ test("Topic type search result escapes html in topic title", async function (assert) {
+ await visit("/");
+ await click("#search-button");
+ await fillIn("#search-term", "dev");
+ await triggerKeyEvent("#search-term", "keyup", "Enter");
+
+ assert.ok(
+ exists(
+ ".search-menu .search-result-topic .item .topic-title span#topic-with-html"
+ ),
+ "html in the topic title is properly escaped"
+ );
+ });
+
+ test("Topic type search result escapes emojis in topic title", async function (assert) {
+ await visit("/");
+ await click("#search-button");
+ await fillIn("#search-term", "dev");
+ await triggerKeyEvent("#search-term", "keyup", "Enter");
+
+ assert.ok(
+ exists(
+ ".search-menu .search-result-topic .item .topic-title img[alt='+1']"
+ ),
+ ":+1: in the topic title is properly converted to an emoji"
+ );
+ });
+
test("search button toggles search menu", async function (assert) {
await visit("/");
diff --git a/app/assets/javascripts/discourse/tests/fixtures/search-fixtures.js b/app/assets/javascripts/discourse/tests/fixtures/search-fixtures.js
index eb7ab45dba8..5d83fea8a23 100644
--- a/app/assets/javascripts/discourse/tests/fixtures/search-fixtures.js
+++ b/app/assets/javascripts/discourse/tests/fixtures/search-fixtures.js
@@ -643,9 +643,9 @@ export default {
},
{
id: 2507,
- title: "Getting dev instance to send email?",
- fancy_title: "Getting dev instance to send email?",
- slug: "getting-dev-instance-to-send-email",
+ title: "Topic with html in title",
+ fancy_title: "Topic with html in title :+1:",
+ slug: "topic-with-html-in-title",
posts_count: 19,
reply_count: 13,
highest_post_number: 21,