Improved special character handling in manticore and URL query.

2024-04-01 01:50:24 +02:00 · 2024-04-01 01:50:24 +02:00 · 6f371499d3
parent 56e9d07b85
commit 6f371499d3
7 changed files with 21 additions and 8 deletions
--- a/components/filters/filters.vue
+++ b/components/filters/filters.vue
@ -283,7 +283,7 @@ function toggleFilters(state) {
 	width: 1.75rem;
 	display: flex;
 	align-items: center;
-	justify-content: center;
+	justify-content: flex-end;
 	padding: 0 .25rem;
 	overflow: hidden;
 	color: var(--shadow-weak-10);
--- a/pages/tags/+Page.vue
+++ b/pages/tags/+Page.vue
@ -46,6 +46,7 @@
 								<img
 									v-if="tag.poster"
 									:src="`/${tag.poster.thumbnail}`"
+									:style="{ 'background-image': `url(/${tag.poster.lazy})` }"
 									:title="tag.poster.comment"
 									class="thumb"
 									loading="lazy"
--- a/src/actors.js
+++ b/src/actors.js
@ -7,6 +7,7 @@ import { utilsApi } from './manticore.js';
 import { HttpError } from './errors.js';
 import { fetchCountriesByAlpha2 } from './countries.js';
 import { curateStash } from './stashes.js';
+import escape from '../utils/escape-manticore.js';
 import slugify from '../utils/slugify.js';

 export function curateActor(actor, context = {}) {
@ -153,7 +154,7 @@ function curateOptions(options) {
 		page: options?.page || 1,
 		limit: options?.limit || 30,
 		requireAvatar: options?.requireAvatar || false,
-		order: [options.order?.[0] || 'name', options.order?.[1] || 'asc'],
+		order: [escape(options.order?.[0]) || 'name', escape(options.order?.[1]) || 'asc'],
 	};
 }

@ -364,7 +365,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}

 				if (filters.query) {
-					builder.whereRaw('match(\'@name :query:\', actors)', { query: filters.query });
+					builder.whereRaw('match(\'@name :query:\', actors)', { query: escape(filters.query) });
 				}

 				// attribute filters
--- a/src/api.js
+++ b/src/api.js
@ -16,7 +16,7 @@ function getQuery(data) {

 	const curatedQuery = Object.fromEntries(Object.entries(data).map(([key, value]) => (value === undefined ? null : [key, value])).filter(Boolean));

-	return `?${encodeURI(decodeURIComponent(new URLSearchParams(curatedQuery).toString()))}`; // recode so commas aren't encoded
+	return `?${new URLSearchParams(curatedQuery).toString()}`; // recode so commas aren't encoded
 }

 function showFeedback(isSuccess, options = {}, errorMessage) {
--- a/src/navigate.js
+++ b/src/navigate.js
@ -9,7 +9,7 @@ export default function navigate(path, query, options = {}) {
 	}).toString();

 	const url = queryString
-		? `${path}?${encodeURI(decodeURIComponent(queryString))}` // URLSearchParams encodes commas, we don't want that
+		? `${path}?${queryString.replace(/%2C/g, ',')}` // URLSearchParams encodes commas, we don't want that
 		: path;

 	if (options.redirect) {
--- a/src/scenes.js
+++ b/src/scenes.js
@ -8,6 +8,7 @@ import { fetchActorsById, curateActor, sortActorsByGender } from './actors.js';
 import { fetchTagsById } from './tags.js';
 import { fetchEntitiesById } from './entities.js';
 import { curateStash } from './stashes.js';
+import escape from '../utils/escape-manticore.js';
 import promiseProps from '../utils/promise-props.js';

 function curateMedia(media) {
@ -428,7 +429,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}

 				if (filters.query) {
-					builder.whereRaw('match(\'@!title :query:\', scenes)', { query: filters.query });
+					builder.whereRaw('match(\'@!title :query:\', scenes)', { query: escape(filters.query) });
 				}

 				filters.tagIds?.forEach((tagId) => {
@ -492,8 +493,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}
 			})
 			.limit(options.limit)
-			.offset((options.page - 1) * options.limit)
-			.toString(),
+			.offset((options.page - 1) * options.limit),
 		// option threads=1 fixes actors, but drastically slows down performance, wait for fix
 		actorsFacet: options.aggregateActors ? knex.raw('facet scenes.actor_ids order by count(*) desc limit ?', [aggSize]) : null,
 		tagsFacet: options.aggregateTags ? knex.raw('facet scenes.tag_ids order by count(*) desc limit ?', [aggSize]) : null,
--- a/utils/escape-manticore.js
+++ b/utils/escape-manticore.js
@ -0,0 +1,11 @@
+// https://manual.manticoresearch.com/Searching/Full_text_matching/Escaping#Escaping-characters-in-query-string
+export default function escape(string) {
+	if (!string) {
+		return null;
+	}
+
+	return string
+		.replace(/\\/g, String.raw`\\\\`) // using String.raw so we don't have to double up JS and SQL escaping
+		.replace(/'/g, String.raw`\'`)
+		.replace(/(["!$()/<@^|~-])/g, String.raw`\\$1`);
+}