Bump version

Properly encode search query param (#587 )
Update CHANGELOG.md
2025-08-29 05:16:46 +02:00 · 2023-12-08 22:01:24 +01:00 · 2023-12-08 21:53:54 +01:00 · 2023-11-24 10:23:44 +01:00
7 changed files with 106 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog

+## v1.23.0 (24/11/2023)
+
+### What's Changed
+* Add Alpine based Docker image (experimental) by @sissbruecker in https://github.com/sissbruecker/linkding/pull/570
+* Add backup CLI command by @sissbruecker in https://github.com/sissbruecker/linkding/pull/571
+* Update browser extension links by @OPerepadia in https://github.com/sissbruecker/linkding/pull/574
+* Include archived bookmarks in export by @sissbruecker in https://github.com/sissbruecker/linkding/pull/579
+
+### New Contributors
+* @OPerepadia made their first contribution in https://github.com/sissbruecker/linkding/pull/574
+
+**Full Changelog**: https://github.com/sissbruecker/linkding/compare/v1.22.3...v1.23.0
+
+---
+
 ## v1.22.3 (04/11/2023)

 ### What's Changed
--- a/bookmarks/templates/bookmarks/search.html
+++ b/bookmarks/templates/bookmarks/search.html
@@ -95,7 +95,7 @@
      props: {
        name: 'q',
        placeholder: 'Search for words or #tags',
-        value: '{{ search.q|safe }}',
+        value: input.value,
        tags: uniqueTags,
        mode: '{{ mode }}',
        linkTarget: '{{ request.user_profile.bookmark_link_target }}',
--- a/bookmarks/tests/test_bookmark_archived_view.py
+++ b/bookmarks/tests/test_bookmark_archived_view.py
@@ -422,3 +422,31 @@ class BookmarkArchivedViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin

        self.assertEqual(actions_form.attrs['action'],
                         '/bookmarks/archived/action?q=%23foo&return_url=%2Fbookmarks%2Farchived%3Fq%3D%2523foo')
+
+    def test_encode_search_params(self):
+        bookmark = self.setup_bookmark(description='alert(\'xss\')', is_archived=True)
+
+        url = reverse('bookmarks:archived') + '?q=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+        self.assertContains(response, bookmark.url)
+
+        url = reverse('bookmarks:archived') + '?sort=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:archived') + '?unread=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:archived') + '?shared=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:archived') + '?user=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:archived') + '?page=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
--- a/bookmarks/tests/test_bookmark_index_view.py
+++ b/bookmarks/tests/test_bookmark_index_view.py
@@ -418,3 +418,31 @@ class BookmarkIndexViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin):

        self.assertEqual(actions_form.attrs['action'],
                         '/bookmarks/action?q=%23foo&return_url=%2Fbookmarks%3Fq%3D%2523foo')
+
+    def test_encode_search_params(self):
+        bookmark = self.setup_bookmark(description='alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?q=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+        self.assertContains(response, bookmark.url)
+
+        url = reverse('bookmarks:index') + '?sort=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?unread=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?shared=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?user=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:index') + '?page=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
--- a/bookmarks/tests/test_bookmark_shared_view.py
+++ b/bookmarks/tests/test_bookmark_shared_view.py
@@ -500,3 +500,35 @@ class BookmarkSharedViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin):

        self.assertEqual(actions_form.attrs['action'],
                         '/bookmarks/shared/action?q=%23foo&return_url=%2Fbookmarks%2Fshared%3Fq%3D%2523foo')
+
+    def test_encode_search_params(self):
+        self.authenticate()
+        user = self.get_or_create_test_user()
+        user.profile.enable_sharing = True
+        user.profile.save()
+        bookmark = self.setup_bookmark(description='alert(\'xss\')', shared=True)
+
+        url = reverse('bookmarks:shared') + '?q=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+        self.assertContains(response, bookmark.url)
+
+        url = reverse('bookmarks:shared') + '?sort=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:shared') + '?unread=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:shared') + '?shared=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:shared') + '?user=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
+
+        url = reverse('bookmarks:shared') + '?page=alert(%27xss%27)'
+        response = self.client.get(url)
+        self.assertNotContains(response, 'alert(\'xss\')')
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "linkding",
-  "version": "1.23.0",
+  "version": "1.23.1",
  "description": "",
  "main": "index.js",
  "scripts": {
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.23.0
+1.23.1
Author	SHA1	Message	Date
Sascha Ißbrücker	e83d519cab	Bump version	2023-12-08 22:01:24 +01:00
Sascha Ißbrücker	6355d8dff1	Properly encode search query param (#587 )	2023-12-08 21:53:54 +01:00
Sascha Ißbrücker	227cfdb063	Update CHANGELOG.md	2023-11-24 10:23:44 +01:00
@@ -1 +1 @@
 .23.0
 .23.1