Merge pull request #1023 from kiwix/suggestions_with_control_characters

kelson42 · web-flow · commit 24faf84163db · 2023-11-17T15:12:13.000+01:00
Control characters are escaped in suggestions JSON
diff --git a/src/tools/otherTools.cpp b/src/tools/otherTools.cpp
@@ -330,17 +330,19 @@ std::string kiwix::render_template(const std::string& template_str, kainjow::mus
 namespace
 {
 
-std::string escapeBackslashes(const std::string& s)
+std::string escapeForJSON(const std::string& s)
 {
-  std::string es;
-  es.reserve(s.size());
+  std::ostringstream oss;
   for (char c : s) {
     if ( c == '\\' ) {
-      es.push_back('\\');
+      oss << "\\\\";
+    } else if ( unsigned(c) < 0x20U ) {
+      oss << "\\u" << std::setw(4) << std::setfill('0') << unsigned(c);
+    } else {
+      oss << c;
     }
-    es.push_back(c);
   }
-  return es;
+  return oss.str();
 }
 
 std::string makeFulltextSearchSuggestion(const std::string& lang,
@@ -368,10 +370,10 @@ void kiwix::Suggestions::add(const zim::SuggestionItem& suggestion)
                           ? suggestion.getSnippet()
                           : suggestion.getTitle();
 
-  result.set("label", escapeBackslashes(label));
-  result.set("value", escapeBackslashes(suggestion.getTitle()));
+  result.set("label", escapeForJSON(label));
+  result.set("value", escapeForJSON(suggestion.getTitle()));
   result.set("kind", "path");
-  result.set("path", escapeBackslashes(suggestion.getPath()));
+  result.set("path", escapeForJSON(suggestion.getPath()));
   result.set("first", m_data.is_empty_list());
   m_data.push_back(result);
 }
@@ -381,8 +383,8 @@ void kiwix::Suggestions::addFTSearchSuggestion(const std::string& uiLang,
 {
   kainjow::mustache::data result;
   const std::string label = makeFulltextSearchSuggestion(uiLang, queryString);
-  result.set("label", escapeBackslashes(label));
-  result.set("value", escapeBackslashes(queryString + " "));
+  result.set("label", escapeForJSON(label));
+  result.set("value", escapeForJSON(queryString + " "));
   result.set("kind", "pattern");
   result.set("first", m_data.is_empty_list());
   m_data.push_back(result);
diff --git a/test/otherTools.cpp b/test/otherTools.cpp
@@ -100,7 +100,7 @@ TEST(Suggestions, specialCharHandling)
 {
   // HTML special symbols (<, >, &, ", and ') must be HTML-escaped
   // Backslash symbols (\) must be duplicated.
-  const std::string SYMBOLS(R"(\<>&'"~!@#$%^*()_+`-=[]{}|:;,.?)");
+  const std::string SYMBOLS("\t\n\r" R"(\<>&'"~!@#$%^*()_+`-=[]{}|:;,.?)");
   {
     kiwix::Suggestions s;
     s.add(zim::SuggestionItem("Title with "   + SYMBOLS,
@@ -110,10 +110,10 @@ TEST(Suggestions, specialCharHandling)
     CHECK_SUGGESTIONS(s.getJSON(),
 R"EXPECTEDJSON([
   {
-    "value" : "Title with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
-    "label" : "Snippet with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
+    "value" : "Title with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
+    "label" : "Snippet with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
     "kind" : "path"
-      , "path" : "Path with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?"
+      , "path" : "Path with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?"
   }
 ]
 )EXPECTEDJSON"
@@ -128,10 +128,10 @@ R"EXPECTEDJSON([
     CHECK_SUGGESTIONS(s.getJSON(),
 R"EXPECTEDJSON([
   {
-    "value" : "Snippetless title with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
-    "label" : "Snippetless title with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
+    "value" : "Snippetless title with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
+    "label" : "Snippetless title with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?",
     "kind" : "path"
-      , "path" : "Path with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?"
+      , "path" : "Path with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?"
   }
 ]
 )EXPECTEDJSON"
@@ -145,8 +145,8 @@ R"EXPECTEDJSON([
     CHECK_SUGGESTIONS(s.getJSON(),
 R"EXPECTEDJSON([
   {
-    "value" : "text with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.? ",
-    "label" : "containing &apos;text with \\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?&apos;...",
+    "value" : "text with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.? ",
+    "label" : "containing &apos;text with \u0009\u0010\u0013\\&lt;&gt;&amp;&apos;&quot;~!@#$%^*()_+`-=[]{}|:;,.?&apos;...",
     "kind" : "pattern"
     //EOLWHITESPACEMARKER
   }

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ TEST(Suggestions, specialCharHandling)`
`100`	`100`	`{`
`101`	`101`	`// HTML special symbols (<, >, &, ", and ') must be HTML-escaped`
`102`	`102`	`// Backslash symbols (\) must be duplicated.`
`103`		- const std::string SYMBOLS(R"(\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?)");
	`103`	+ const std::string SYMBOLS("\t\n\r" R"(\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?)");
`104`	`104`	`{`
`105`	`105`	`kiwix::Suggestions s;`
`106`	`106`	`s.add(zim::SuggestionItem("Title with " + SYMBOLS,`
`@@ -110,10 +110,10 @@ TEST(Suggestions, specialCharHandling)`
`110`	`110`	`CHECK_SUGGESTIONS(s.getJSON(),`
`111`	`111`	`R"EXPECTEDJSON([`
`112`	`112`	`{`
`113`		- "value" : "Title with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
`114`		- "label" : "Snippet with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
	`113`	+ "value" : "Title with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
	`114`	+ "label" : "Snippet with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
`115`	`115`	`"kind" : "path"`
`116`		- , "path" : "Path with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?"
	`116`	+ , "path" : "Path with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?"
`117`	`117`	`}`
`118`	`118`	`]`
`119`	`119`	`)EXPECTEDJSON"`
`@@ -128,10 +128,10 @@ R"EXPECTEDJSON([`
`128`	`128`	`CHECK_SUGGESTIONS(s.getJSON(),`
`129`	`129`	`R"EXPECTEDJSON([`
`130`	`130`	`{`
`131`		- "value" : "Snippetless title with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
`132`		- "label" : "Snippetless title with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
	`131`	+ "value" : "Snippetless title with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
	`132`	+ "label" : "Snippetless title with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?",
`133`	`133`	`"kind" : "path"`
`134`		- , "path" : "Path with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?"
	`134`	+ , "path" : "Path with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?"
`135`	`135`	`}`
`136`	`136`	`]`
`137`	`137`	`)EXPECTEDJSON"`
`@@ -145,8 +145,8 @@ R"EXPECTEDJSON([`
`145`	`145`	`CHECK_SUGGESTIONS(s.getJSON(),`
`146`	`146`	`R"EXPECTEDJSON([`
`147`	`147`	`{`
`148`		- "value" : "text with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.? ",
`149`		- "label" : "containing 'text with \\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?'...",
	`148`	+ "value" : "text with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.? ",
	`149`	+ "label" : "containing 'text with \u0009\u0010\u0013\\<>&'"~!@#$%^*()_+`-=[]{}\|:;,.?'...",
`150`	`150`	`"kind" : "pattern"`
`151`	`151`	`//EOLWHITESPACEMARKER`
`152`	`152`	`}`