Escape fields before passing to JS

2 years ago · 5cc04863ac
parent 83b6285931
commit 5cc04863ac
2 changed files with 12 additions and 7 deletions
--- a/core/templates/ui/drilldown/drilldown.html
+++ b/core/templates/ui/drilldown/drilldown.html
@ -5,7 +5,12 @@
  <script>
    function populateSearch(field, value) {
      var queryElement = document.getElementById('query');
-      var toAppend = ` AND ${field}: ${value}`;
+      var present = true;
+      if (present == true) {
+        var toAppend = ` AND ${field}: "${value}"`;
+      } else {
+        var toAppend = ` AND NOT ${field}: "${value}"`;
+      }
      if (!queryElement.value.includes(toAppend)) {
        queryElement.value+=toAppend;
      } else {
--- a/core/templates/ui/drilldown/results.html
+++ b/core/templates/ui/drilldown/results.html
@ -65,7 +65,7 @@
            {% endif %}
              <td>
                <a class="has-text-link is-underlined"
-                  onclick="populateSearch('src', '{{ item.src }}')">
+                  onclick="populateSearch('src', '{{ item.src|escapejs }}')">
                  {% if item.src == 'irc' %}
                    <span class="icon" data-tooltip="IRC">
                      <i class="fa-solid fa-hashtag" aria-hidden="true"></i>
@ -79,7 +79,7 @@
              </td>
              <td>
                <a class="has-text-link is-underlined"
-                  onclick="populateSearch('type', '{{ item.type }}')">
+                  onclick="populateSearch('type', '{{ item.type|escapejs }}')">
                  {% if item.type == 'msg' %}
                    <span class="icon" data-tooltip="Message">
                      <i class="fa-solid fa-message"></i>
@ -120,7 +120,7 @@
              <td style="max-width: 10em" class="wrap">{{ item.msg }}</td>
              <td>
                <a class="has-text-link is-underlined"
-                  onclick="populateSearch('host', '{{ item.host }}')">
+                  onclick="populateSearch('host', '{{ item.host|escapejs }}')">
                  {{ item.host }}
                </a>
              </td>
@ -141,7 +141,7 @@
                      </span>
                    {% endif %}
                  </div>
-                  <a class="nowrap-child has-text-link is-underlined" onclick="populateSearch('nick', '{{ item.nick }}')">
+                  <a class="nowrap-child has-text-link is-underlined" onclick="populateSearch('nick', '{{ item.nick|escapejs }}')">
                    {{ item.nick }}
                  </a>
                    {% if item.num_chans is not None %}
@ -169,7 +169,7 @@
              <td>
                <div class="nowrap-parent">
                  <a class="nowrap-child has-text-link is-underlined"
-                    onclick="populateSearch('channel', '{{ item.channel }}')">
+                    onclick="populateSearch('channel', '{{ item.channel|escapejs }}')">
                    {{ item.channel }}
                  </a>
                  {% if item.num_users is not None %}
@ -183,7 +183,7 @@
              </td>
              <td>
                <a class="has-text-link is-underlined"
-                  onclick="populateSearch('net', '{{ item.net }}')">
+                  onclick="populateSearch('net', '{{ item.net|escapejs }}')">
                  {{ item.net }}
                </a>
              </td>