From 7fe066b4ea2deea4232dcf0eaf30f02427e81e00 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 1 Nov 2021 15:34:59 -0600 Subject: [PATCH] Escape result html after bolding search terms Fixes #518 --- app/routes.py | 2 +- app/utils/results.py | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/routes.py b/app/routes.py index b6e6f45..6e96a61 100644 --- a/app/routes.py +++ b/app/routes.py @@ -275,7 +275,7 @@ def search(): is_translation=any( _ in query.lower() for _ in [translation['translate'], 'translate'] ) and not search_util.search_type, # Standard search queries only - response=html.unescape(str(response)), + response=response, version_number=app.config['VERSION_NUMBER'], search_header=(render_template( 'header.html', diff --git a/app/utils/results.py b/app/utils/results.py index e04b629..76cb2cb 100644 --- a/app/utils/results.py +++ b/app/utils/results.py @@ -1,4 +1,5 @@ from bs4 import BeautifulSoup, NavigableString +import html import os import urllib.parse as urlparse from urllib.parse import parse_qs @@ -56,11 +57,11 @@ def bold_search_terms(response: str, query: str) -> BeautifulSoup: element.parent and element.parent.name == 'style'): return - element.replace_with( + element.replace_with(BeautifulSoup( re.sub(fr'\b((?![{{}}<>-]){target_word}(?![{{}}<>-]))\b', r'\1', - element, - flags=re.I) + html.escape(element), + flags=re.I), 'html.parser') ) # Split all words out of query, grouping the ones wrapped in quotes