highlight_search_terms: terms vs regex compliation
Issue #601
resolved
Using parenthesis in search query beaks the display of the message. It probably needs even more scrubbing than this, but for now this worked for me:
--- model/search/message.php.orig 2015-09-10 21:04:11.646878148 +0000
+++ model/search/message.php 2015-09-10 22:03:44.088521597 +0000
@@ -477,7 +477,7 @@
private function highlight_search_terms($s = '', $terms = '', $html = 0) {
$fields = array("from:", "to:", "subject:", "body:");
- $terms = preg_replace("/(\'|\"|\=|\>|\<)/", "", $terms);
+ $terms = preg_replace("/(\'|\"|\=|\>|\<|\)|\()/", "", $terms);
$a = explode(" ", $terms);
$terms = array();
Comments (4)
-
repo owner -
reporter I agree. I think that this whitelist approach is the safest way to go without over-engineering.
From memory, I tried
/\W/
, remembered about whitespace, and decided that/[^\w\s]/
was better. Then I thought about email addresses as terms where the@
and.
would be removed. Not being sure what other functionality would break, I decided (for now) to punt by just adding to the existing blacklist. -
repo owner You are right, I forgot about the space. I don't think we miss the @ symbol or the period, because the remaining highlighted text still makes sense.
-
repo owner - changed status to resolved
- Log in to comment
How about this fix?