Improved special character handling in manticore and URL query.

2024-04-01 01:50:24 +02:00
parent 56e9d07b85
commit 6f371499d3
7 changed files with 21 additions and 8 deletions
--- a/src/actors.js
+++ b/src/actors.js
@@ -7,6 +7,7 @@ import { utilsApi } from './manticore.js';
 import { HttpError } from './errors.js';
 import { fetchCountriesByAlpha2 } from './countries.js';
 import { curateStash } from './stashes.js';
+import escape from '../utils/escape-manticore.js';
 import slugify from '../utils/slugify.js';

 export function curateActor(actor, context = {}) {
@@ -153,7 +154,7 @@ function curateOptions(options) {
 		page: options?.page || 1,
 		limit: options?.limit || 30,
 		requireAvatar: options?.requireAvatar || false,
-		order: [options.order?.[0] || 'name', options.order?.[1] || 'asc'],
+		order: [escape(options.order?.[0]) || 'name', escape(options.order?.[1]) || 'asc'],
 	};
 }

@@ -364,7 +365,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}

 				if (filters.query) {
-					builder.whereRaw('match(\'@name :query:\', actors)', { query: filters.query });
+					builder.whereRaw('match(\'@name :query:\', actors)', { query: escape(filters.query) });
 				}

 				// attribute filters
--- a/src/api.js
+++ b/src/api.js
@@ -16,7 +16,7 @@ function getQuery(data) {

 	const curatedQuery = Object.fromEntries(Object.entries(data).map(([key, value]) => (value === undefined ? null : [key, value])).filter(Boolean));

-	return `?${encodeURI(decodeURIComponent(new URLSearchParams(curatedQuery).toString()))}`; // recode so commas aren't encoded
+	return `?${new URLSearchParams(curatedQuery).toString()}`; // recode so commas aren't encoded
 }

 function showFeedback(isSuccess, options = {}, errorMessage) {
--- a/src/navigate.js
+++ b/src/navigate.js
@@ -9,7 +9,7 @@ export default function navigate(path, query, options = {}) {
 	}).toString();

 	const url = queryString
-		? `${path}?${encodeURI(decodeURIComponent(queryString))}` // URLSearchParams encodes commas, we don't want that
+		? `${path}?${queryString.replace(/%2C/g, ',')}` // URLSearchParams encodes commas, we don't want that
 		: path;

 	if (options.redirect) {
--- a/src/scenes.js
+++ b/src/scenes.js
@@ -8,6 +8,7 @@ import { fetchActorsById, curateActor, sortActorsByGender } from './actors.js';
 import { fetchTagsById } from './tags.js';
 import { fetchEntitiesById } from './entities.js';
 import { curateStash } from './stashes.js';
+import escape from '../utils/escape-manticore.js';
 import promiseProps from '../utils/promise-props.js';

 function curateMedia(media) {
@@ -428,7 +429,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}

 				if (filters.query) {
-					builder.whereRaw('match(\'@!title :query:\', scenes)', { query: filters.query });
+					builder.whereRaw('match(\'@!title :query:\', scenes)', { query: escape(filters.query) });
 				}

 				filters.tagIds?.forEach((tagId) => {
@@ -492,8 +493,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}
 			})
 			.limit(options.limit)
-			.offset((options.page - 1) * options.limit)
-			.toString(),
+			.offset((options.page - 1) * options.limit),
 		// option threads=1 fixes actors, but drastically slows down performance, wait for fix
 		actorsFacet: options.aggregateActors ? knex.raw('facet scenes.actor_ids order by count(*) desc limit ?', [aggSize]) : null,
 		tagsFacet: options.aggregateTags ? knex.raw('facet scenes.tag_ids order by count(*) desc limit ?', [aggSize]) : null,