Properly encode search query param (#587)

2025-12-05 03:55:09 +01:00 · 2023-12-08 21:53:54 +01:00
parent 227cfdb063
commit 6355d8dff1
4 changed files with 89 additions and 1 deletions
--- a/bookmarks/tests/test_bookmark_index_view.py
+++ b/bookmarks/tests/test_bookmark_index_view.py
@@ -418,3 +418,31 @@ class BookmarkIndexViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin):

        self.assertEqual(actions_form.attrs['action'],
                         '/bookmarks/action?q=%23foo&return_url=%2Fbookmarks%3Fq%3D%2523foo')
+
+    def test_encode_search_params(self):
+        bookmark = self.setup_bookmark(description='alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?q=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+        self.assertContains(response, bookmark.url)
+
+        url = reverse('bookmarks:index') + '?sort=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?unread=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?shared=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?user=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?page=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')