From 28f564ee4c1b188c06d91d3e4ca0412dd121ad12 Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@hotmail.com>
Date: Thu, 8 Nov 2018 17:27:21 -0600
Subject: [PATCH] Fix XSS in title and input bar

---
 src/invidious/views/search.ecr   | 2 +-
 src/invidious/views/template.ecr | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/invidious/views/search.ecr b/src/invidious/views/search.ecr
index f02afedd..7ab3d0c7 100644
--- a/src/invidious/views/search.ecr
+++ b/src/invidious/views/search.ecr
@@ -1,5 +1,5 @@
 <% content_for "header" do %>
-<title><%= search_query.not_nil!.size > 30 ? query.not_nil![0,30].rstrip(".") + "..." : query.not_nil! %> - Invidious</title>
+<title><%= search_query.not_nil!.size > 30 ? HTML.escape(query.not_nil![0,30].rstrip(".") + "...") : HTML.escape(query.not_nil!) %> - Invidious</title>
 <% end %>
 
 <% videos.each_slice(4) do |slice| %>
diff --git a/src/invidious/views/template.ecr b/src/invidious/views/template.ecr
index bcf20c46..1e31fb4a 100644
--- a/src/invidious/views/template.ecr
+++ b/src/invidious/views/template.ecr
@@ -35,7 +35,7 @@
         <div class="pure-u-1 pure-u-md-12-24 searchbar">
           <form class="pure-form" action="/search" method="get">
             <fieldset>
-              <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.params.query["q"]?.try {|x| HTML.escape(x)} || env.get?("search").try {|x| HTML.escape(x.as(String)) }  %>">
+              <input type="search" style="width:100%;" name="q" placeholder="search" value="<%= env.get?("search").try {|x| HTML.escape(x.as(String)) } || env.params.query["q"]?.try {|x| HTML.escape(x)} %>">
             </fieldset>
           </form>
         </div>