From cace587e64a6927a9140bca2cf967c8cf5f63428 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Wed, 3 Aug 2022 00:17:18 +0200 Subject: [PATCH] added the aditional level of sanatisation back --- openapi.yaml | 318 +++++++++++++------------- server/src/core/search/mod.rs | 11 +- webclient/src/modules/autocomplete.js | 13 +- 3 files changed, 183 insertions(+), 159 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 075b2df35..79d767ec8 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -40,7 +40,9 @@ paths: Instead of simply returning a list, the search results are returned in a way to provide a richer experience by splitting them up into sections. You might not necessarily need to implement all types of sections, or all sections features (if you just want to show a list). The order of sections is a suggested order to display them, but you may change this as you like. - Some fields support highlighting the query terms and it uses and to mark the beginning/end of a highlighted sequence. + Some fields support highlighting the query terms and it uses \x19 and \x17 to mark the beginning/end of a highlighted sequence. + (See [Wikipedia](https://en.wikipedia.org/wiki/C0_and_C1_control_codes#Modified_C0_control_code_sets)). + Some text-renderers will ignore them, but in case you do not want to use them, you might want to remove them from the responses via empty `pre_highlight` and `pre_highlight` query parameters. parameters: - name: q in: query @@ -105,11 +107,16 @@ paths: string to include in front of highlighted sequences. If this and `post_highlight` are empty, highlighting is disabled. schema: - default: "" + default: "/u0019" + minLength: 0 + maxLength: 25 type: string examples: default: - summary: The default value + summary: The default value (See [Wikipedia](https://en.wikipedia.org/wiki/C0_and_C1_control_codes#Modified_C0_control_code_sets)). + value: '/u0019' + em: + summary: A good alternative default value value: '' ais-highlight: summary: Another good alternative @@ -120,22 +127,27 @@ paths: string to include after the highlighted sequences. If this and `pre_highlight` are empty, highlighting is disabled. schema: - default: "" + default: "/u0017" + minLength: 0 + maxLength: 25 type: string examples: default: - summary: The default value - value: '' + summary: The default value (See [Wikipedia](https://en.wikipedia.org/wiki/C0_and_C1_control_codes#Modified_C0_control_code_sets)). + value: '/u0017' + em: + summary: A good alternative default value + value: "" ais-highlight: summary: Another good alternative - value: '' + value: "" responses: - '200': + "200": description: The search-result content: application/json: schema: - $ref: '#/components/schemas/SearchResponse' + $ref: "#/components/schemas/SearchResponse" examples: mw: value: @@ -146,21 +158,21 @@ paths: type: joined_building name: "Maschinenwesen (\x19MW\x17)" subtext: Gebäudekomplex - - id: '5538' + - id: "5538" type: building name: "Interims-Tentomax Garching \x19MW\x17, HS1/HS2" subtext: Gebäude - - id: '5501' + - id: "5501" type: building - name: 'Gebäudeteil 1, Institut für Mechatronik' + name: "Gebäudeteil 1, Institut für Mechatronik" subtext: Gebäudeteil - - id: '5502' + - id: "5502" type: building - name: 'Gebäudeteil 2, Institut für Werkstoffe und Verarbeitung' + name: "Gebäudeteil 2, Institut für Werkstoffe und Verarbeitung" subtext: Gebäudeteil - - id: '5503' + - id: "5503" type: building - name: 'Gebäudeteil 3, Institut für Produktionstechnik' + name: "Gebäudeteil 3, Institut für Produktionstechnik" subtext: Gebäudeteil n_visible: 5 estimatedTotalHits: 20 @@ -208,7 +220,7 @@ paths: sections: - facet: sites_buildings entries: - - id: '5416' + - id: "5416" type: building name: "\x19Interims\x17hörsäle II, Jürgen Manchot-Hörsaalgebäude" subtext: Gebäude @@ -219,12 +231,12 @@ paths: - id: 5416.01.004 type: room name: "5416.01.004 (Hörsaal 1 \"\x19Interims\x17 II\")" - subtext: 'Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude' + subtext: "Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude" subtext_bold: 004@5416 - id: 5416.01.003 type: room name: "5416.01.003 (Hörsaal \x192\x17, \"\x19Interims\x17 II\")" - subtext: 'Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude' + subtext: "Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude" subtext_bold: 003@5416 - id: 5620.01.102 type: room @@ -239,15 +251,15 @@ paths: - id: 5416.EG.010 type: room name: 5416.EG.010 (IT/Audio) - subtext: 'Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude' + subtext: "Interimshörsäle II, Jürgen Manchot-Hörsaalgebäude" subtext_bold: 010@5416 estimatedTotalHits: 23 time_ms: 23 - '400': + "400": description: Invalid Request content: {} - '404': - description: '`search_query` is empty. Since searching for nothing is nonsensical, we dont support this.' + "404": + description: "`search_query` is empty. Since searching for nothing is nonsensical, we dont support this." content: text/plain: schema: @@ -255,12 +267,12 @@ paths: enum: - Not found example: Not found - '414': + "414": description: The uri you are trying to request is unreasonably long. Search querys dont have thousands of chars.. content: {} tags: - core - '/api/get/{id}': + "/api/get/{id}": get: operationId: get summary: Get entry-details @@ -281,9 +293,9 @@ paths: root: summary: The root entry of the NavigaTUM-data value: root - '5304': + "5304": summary: A normal building - value: '5304' + value: "5304" garching: summary: The garching campus value: garching @@ -291,10 +303,10 @@ paths: summary: The MRI campus value: garching mi: - summary: 'A large, (custom named) building' + summary: "A large, (custom named) building" value: mi mw: - summary: 'An other large, (custom named) building' + summary: "An other large, (custom named) building" value: mw fsmpi: summary: A regular room @@ -309,14 +321,14 @@ paths: summary: A virtual room value: 1543 responses: - '200': + "200": description: More data about the requested building/room content: application/json: schema: oneOf: - - $ref: '#/components/schemas/RootResponse' - - $ref: '#/components/schemas/DetailsResponse' + - $ref: "#/components/schemas/RootResponse" + - $ref: "#/components/schemas/DetailsResponse" discriminator: propertyName: type mapping: @@ -348,49 +360,49 @@ paths: id: rf87 name: FMI Garching BT02 EG path: webp/rf87.webp - scale: '500' + scale: "500" source: Roomfinder width: 399 x: 234 - 'y': 286 + "y": 286 - height: 461 id: rf142 name: FMI Übersicht path: webp/rf142.webp - scale: '2000' + scale: "2000" source: Roomfinder width: 639 x: 499 - 'y': 189 + "y": 189 - height: 480 id: rf80 name: Lageplan Campus Garching path: webp/rf80.webp - scale: '10000' + scale: "10000" source: Roomfinder width: 676 x: 340 - 'y': 334 + "y": 334 - height: 603 id: rf54 name: München path: webp/rf54.webp - scale: '200000' + scale: "200000" source: Roomfinder width: 640 x: 444 - 'y': 35 + "y": 35 - height: 515 id: rf156 name: München und Umgebung path: webp/rf156.webp - scale: '400000' + scale: "400000" source: Roomfinder width: 420 x: 265 - 'y': 167 + "y": 167 default: rf142 - name: '5602.EG.001 (MI HS 1, Friedrich L. Bauer Hörsaal)' + name: "5602.EG.001 (MI HS 1, Friedrich L. Bauer Hörsaal)" parent_names: - Standorte - Garching Forschungszentrum @@ -400,7 +412,7 @@ paths: - root - garching - mi - - '5602' + - "5602" props: computed: - name: Raumkennung @@ -408,9 +420,9 @@ paths: - name: Architekten-Name text: 00.02.001 - name: Adresse - text: 'Boltzmannstr. 3, EG, 85748 Garching b. München' + text: "Boltzmannstr. 3, EG, 85748 Garching b. München" - name: Sitzplätze - text: '522' + text: "522" ranking_factors: rank_combined: 900 rank_type: 100 @@ -418,9 +430,9 @@ paths: sources: base: - name: TUMOnline - url: 'https://campus.tum.de/tumonline/ee/ui/ca2/app/desktop/#/pl/ui/$ctx/wbRaum.editRaum?pRaumNr=12325' + url: "https://campus.tum.de/tumonline/ee/ui/ca2/app/desktop/#/pl/ui/$ctx/wbRaum.editRaum?pRaumNr=12325" - name: Roomfinder - url: 'https://portal.mytum.de/displayRoomMap?roomid=00.02.001@5602&disable_decoration=yes' + url: "https://portal.mytum.de/displayRoomMap?roomid=00.02.001@5602&disable_decoration=yes" type: room type_common_name: Hörsaal usage: @@ -447,47 +459,47 @@ paths: id: rf95 name: FMI Garching BT06 EG path: webp/rf95.webp - scale: '500' + scale: "500" source: Roomfinder width: 318 x: 207 - 'y': 217 + "y": 217 - height: 461 id: rf142 name: FMI Übersicht path: webp/rf142.webp - scale: '2000' + scale: "2000" source: Roomfinder width: 639 x: 443 - 'y': 242 + "y": 242 - height: 480 id: rf80 name: Lageplan Campus Garching path: webp/rf80.webp - scale: '10000' + scale: "10000" source: Roomfinder width: 676 x: 329 - 'y': 344 + "y": 344 - height: 603 id: rf54 name: München path: webp/rf54.webp - scale: '200000' + scale: "200000" source: Roomfinder width: 640 x: 444 - 'y': 36 + "y": 36 - height: 515 id: rf156 name: München und Umgebung path: webp/rf156.webp - scale: '400000' + scale: "400000" source: Roomfinder width: 420 x: 265 - 'y': 167 + "y": 167 default: rf142 name: 5606.EG.036 (MPI Fachschaftsbüro im MI) parent_names: @@ -499,7 +511,7 @@ paths: - root - garching - mi - - '5606' + - "5606" props: computed: - name: Raumkennung @@ -507,7 +519,7 @@ paths: - name: Architekten-Name text: 00.06.036 - name: Adresse - text: 'Boltzmannstr. 3, EG, 85748 Garching b. München' + text: "Boltzmannstr. 3, EG, 85748 Garching b. München" ranking_factors: rank_combined: 100 rank_type: 100 @@ -516,16 +528,16 @@ paths: base: - name: NavigaTUM - name: TUMOnline - url: 'https://campus.tum.de/tumonline/ee/ui/ca2/app/desktop/#/pl/ui/$ctx/wbRaum.editRaum?pRaumNr=55601' + url: "https://campus.tum.de/tumonline/ee/ui/ca2/app/desktop/#/pl/ui/$ctx/wbRaum.editRaum?pRaumNr=55601" - name: Roomfinder - url: 'https://portal.mytum.de/displayRoomMap?roomid=00.06.036@5606&disable_decoration=yes' + url: "https://portal.mytum.de/displayRoomMap?roomid=00.06.036@5606&disable_decoration=yes" type: room type_common_name: Büro usage: din_277: NF2.1 din_277_desc: Büroräume name: Büro - '404': + "404": description: Invalid input content: text/plain: @@ -544,13 +556,13 @@ paths: This endpoint returns a link to the source-code of the repository at the currently running version. This endpoint is not required for modifications (as the license is not AGPL), but strongly encouraged. responses: - '200': + "200": description: The link to the source-code of the repository at the currently running version content: text/plain: schema: type: string - example: 'https://github.com/TUM-Dev/navigatum/tree/eb10c1f4cfbbd66d37f2f9e5e13139c1fde15a4b' + example: "https://github.com/TUM-Dev/navigatum/tree/eb10c1f4cfbbd66d37f2f9e5e13139c1fde15a4b" tags: - core /api/feedback/get_token: @@ -573,18 +585,18 @@ paths: - hourly: 20 tokens per hour - daily: 50 tokens per responses: - '201': + "201": description: Returns a usable token content: application/json: schema: - $ref: '#/components/schemas/TokenResponse' - '429': + $ref: "#/components/schemas/TokenResponse" + "429": description: | Too many requests. We are rate-limiting everyone''s requests, please try again later. content: {} - '503': + "503": description: | Service unavailable. We have not configured a GitHub Access Token. @@ -607,9 +619,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/TokenRequest' + $ref: "#/components/schemas/TokenRequest" responses: - '201': + "201": description: | The feedback has been successfully posted to GitHub. We return the link to the GitHub issue. @@ -617,11 +629,11 @@ paths: text/plain: schema: type: string - example: 'https://github.com/TUM-Dev/navigatum/issues/9' - '400': + example: "https://github.com/TUM-Dev/navigatum/issues/9" + "400": description: If not all fields in the body are present as defined above content: {} - '403': + "403": description: | Forbidden. Causes are (delivered via the body): @@ -638,23 +650,23 @@ paths: - Token not old enough, please wait - Token expired - Token already used - '422': + "422": description: | Unprocessable Entity Subject or body missing or too short. content: {} - '451': + "451": description: | Unavailable for legal reasons. Using this endpoint without accepting the privacy policy is not allowed. For us to post to GitHub, this has to be true content: {} - '500': + "500": description: | Internal Server Error. We have a problem communicating with GitHubs servers. Please try again later. content: {} - '503': + "503": description: | Service unavailable. We have not configured a GitHub Access Token. @@ -662,7 +674,7 @@ paths: content: {} tags: - feedback - '/cdn/{size}/{id}_{counter}.webp': + "/cdn/{size}/{id}_{counter}.webp": get: operationId: img_cdn summary: Get title images @@ -698,14 +710,14 @@ paths: schema: type: string examples: - '5304': + "5304": summary: A normal building - value: '5304' + value: "5304" garching: summary: A campus value: garching mi: - summary: 'A large, (custom named) building' + summary: "A large, (custom named) building" value: mi fsmpi: summary: A regular room @@ -720,21 +732,21 @@ paths: minimum: 0 example: 0 responses: - '200': + "200": description: The image you requested content: image/webp: schema: type: string format: binary - example: 'https://nav.tum.sexy/cdn/thumb/mi_0.webp' - '400': + example: "https://nav.tum.sexy/cdn/thumb/mi_0.webp" + "400": description: | Bad Request. The request was malformed. Please check your request and try again. content: {} - '404': + "404": description: Requested Resource Not Found content: text/plain: @@ -743,12 +755,12 @@ paths: enum: - Not found example: Not found - '414': - description: 'The uri you are trying to request is unreasonably long. neither ids, nor any other parameter has more than 30 chars..' + "414": + description: "The uri you are trying to request is unreasonably long. neither ids, nor any other parameter has more than 30 chars.." content: {} tags: - cdn - '/cdn/maps/{source}/{id}.webp': + "/cdn/maps/{source}/{id}.webp": get: operationId: maps_cdn summary: Get title images @@ -781,23 +793,23 @@ paths: value: mi_0 garching: summary: StudiTUM Garching (roomfinder + overview) - value: '5532_2' + value: "5532_2" responses: - '200': + "200": description: The map you requested content: image/webp: schema: type: string format: binary - example: 'https://nav.tum.sexy/cdn/maps/roomfinder/rf142.webp' - '400': + example: "https://nav.tum.sexy/cdn/maps/roomfinder/rf142.webp" + "400": description: | Bad Request. The request was malformed. Please check your request and try again. content: {} - '404': + "404": description: Requested Resource Not Found content: text/plain: @@ -806,8 +818,8 @@ paths: enum: - Not found example: Not found - '414': - description: 'The uri you are trying to request is unreasonably long. neither ids, nor any other parameter has more than 30 chars..' + "414": + description: "The uri you are trying to request is unreasonably long. neither ids, nor any other parameter has more than 30 chars.." content: {} tags: - cdn @@ -818,7 +830,7 @@ paths: description: | If this endpoint does not return 200, the API is experiencing a catastrophic outage. Should never happen. responses: - '200': + "200": description: Ok content: text/plain: @@ -826,7 +838,7 @@ paths: type: string enum: - healthy - '503': + "503": description: Service Unavailable content: {} tags: @@ -838,7 +850,7 @@ paths: description: | If this endpoint does not return 200, the CDN is experiencing a catastrophic outage. Should never happen. responses: - '200': + "200": description: Ok content: text/plain: @@ -846,7 +858,7 @@ paths: type: string enum: - healthy - '503': + "503": description: Service Unavailable content: {} tags: @@ -858,7 +870,7 @@ paths: description: | If this endpoint does not return 200, the Website is experiencing a catastrophic outage. Should never happen. responses: - '200': + "200": description: Ok content: text/plain: @@ -866,7 +878,7 @@ paths: type: string enum: - healthy - '503': + "503": description: Service Unavailable content: {} tags: @@ -880,7 +892,7 @@ components: computed: type: array items: - $ref: '#/components/schemas/Prop' + $ref: "#/components/schemas/Prop" required: - computed Prop: @@ -896,21 +908,21 @@ components: - name - text ImageInfo: - description: 'The information you need to request Images from the /cdn/{size}/{id}_{counter}.webp endpoint' + description: "The information you need to request Images from the /cdn/{size}/{id}_{counter}.webp endpoint" type: object properties: name: - description: 'The name of the image file. consists of {building_id}_{image_id}.webp, where image_id is a counter starting at 0' + description: "The name of the image file. consists of {building_id}_{image_id}.webp, where image_id is a counter starting at 0" type: string example: mi_0.webp author: - $ref: '#/components/schemas/PossibleURLRef' + $ref: "#/components/schemas/PossibleURLRef" source: - $ref: '#/components/schemas/PossibleURLRef' + $ref: "#/components/schemas/PossibleURLRef" license: - $ref: '#/components/schemas/PossibleURLRef' + $ref: "#/components/schemas/PossibleURLRef" meta: - $ref: '#/components/schemas/ImageMetadata' + $ref: "#/components/schemas/ImageMetadata" sections: discriminator: propertyName: facet @@ -918,8 +930,8 @@ components: sites_buildings: SitesBuildings rooms: Rooms oneOf: - - $ref: '#/components/schemas/SitesBuildings' - - $ref: '#/components/schemas/Rooms' + - $ref: "#/components/schemas/SitesBuildings" + - $ref: "#/components/schemas/Rooms" required: - name - author @@ -938,7 +950,7 @@ components: description: optional location description type: string geo: - description: 'optional coordinates in lat,lon' + description: "optional coordinates in lat,lon" type: string image_url: description: | @@ -964,14 +976,14 @@ components: description: optional the department this image is about type: string PossibleURLRef: - description: 'Additional information you should include, if you decide to display the image for legal and attribution reasons' + description: "Additional information you should include, if you decide to display the image for legal and attribution reasons" type: object properties: text: - description: 'The text to display' + description: "The text to display" type: string url: - description: 'The URL to the referenced information. Always either null or a valid URL' + description: "The URL to the referenced information. Always either null or a valid URL" nullable: true type: string pattern: .+ @@ -1015,7 +1027,7 @@ components: description: The zone type: string example: U - pattern: '[C-HJ-NP-X]' + pattern: "[C-HJ-NP-X]" zone_number: description: The zone number type: integer @@ -1038,27 +1050,27 @@ components: - interactive - roomfinder roomfinder: - $ref: '#/components/schemas/RoomfinderMap' + $ref: "#/components/schemas/RoomfinderMap" overlays: description: | null would mean no overlay maps are displayed by default. For rooms you should add a warning that no floor map is available for this room allOf: - nullable: true - - $ref: '#/components/schemas/OverlayMap' + - $ref: "#/components/schemas/OverlayMap" required: - default RoomfinderMap: type: object properties: default: - description: 'The id of the map, that should be shown as a default' + description: "The id of the map, that should be shown as a default" type: string example: rf142 available: type: array items: - $ref: '#/components/schemas/RoomfinderMapEntry' + $ref: "#/components/schemas/RoomfinderMapEntry" required: - default - available @@ -1074,10 +1086,10 @@ components: type: string example: rf142 scale: - description: 'Scale of the map. 2000 means 1:2000.' + description: "Scale of the map. 2000 means 1:2000." type: string - example: '2000' - pattern: '[0-9]+' + example: "2000" + pattern: "[0-9]+" height: description: Map image x dimensions type: integer @@ -1125,7 +1137,7 @@ components: available: type: array items: - $ref: '#/components/schemas/OverlayMapEntry' + $ref: "#/components/schemas/OverlayMapEntry" required: - default - available @@ -1145,7 +1157,7 @@ components: Should be used for display to the user in selectors. Matches the floor part of the TUMOnline roomcode. type: string - example: 'EG' + example: "EG" name: description: The human-readable name of the map type: string @@ -1188,7 +1200,7 @@ components: entries: type: array items: - $ref: '#/components/schemas/RoomEntry' + $ref: "#/components/schemas/RoomEntry" required: - estimatedTotalHits - facet @@ -1210,7 +1222,7 @@ components: entries: type: array items: - $ref: '#/components/schemas/SitesBuildingsEntry' + $ref: "#/components/schemas/SitesBuildingsEntry" n_visible: description: | A recommendation how many of the entries should be displayed by default. @@ -1226,16 +1238,16 @@ components: - entries RoomEntry: allOf: - - $ref: '#/components/schemas/SitesBuildingsEntry' + - $ref: "#/components/schemas/SitesBuildingsEntry" - type: object required: - subtext_bold properties: subtext_bold: - description: 'Subtext to show below the search (by default in bold and after the non-bold subtext). Usually contains the arch-id of the room, which is another common room id format, and supports highlighting.' + description: "Subtext to show below the search (by default in bold and after the non-bold subtext). Usually contains the arch-id of the room, which is another common room id format, and supports highlighting." type: string parsed_id: - description: 'This is an optional feature, that is only supported for some rooms. It might be displayed instead or before the name, to show that a different room id format has matched, that was probably used. See the image below for an example. It will be cropped to a maximum length to not take too much space in UIs. Supports highlighting.' + description: "This is an optional feature, that is only supported for some rooms. It might be displayed instead or before the name, to show that a different room id format has matched, that was probably used. See the image below for an example. It will be cropped to a maximum length to not take too much space in UIs. Supports highlighting." type: string SitesBuildingsEntry: type: object @@ -1261,17 +1273,17 @@ components: type: object properties: token: - description: 'The token, that can be used to generate feedback' + description: "The token, that can be used to generate feedback" type: string - example: '999999999999999' + example: "999999999999999" maxLength: 15 minLength: 15 - pattern: '[0-9]+' + pattern: "[0-9]+" required: - token x-examples: token: - token: '999999999999999' + token: "999999999999999" SearchResponse: type: object properties: @@ -1279,8 +1291,8 @@ components: type: array items: oneOf: - - $ref: '#/components/schemas/SitesBuildings' - - $ref: '#/components/schemas/Rooms' + - $ref: "#/components/schemas/SitesBuildings" + - $ref: "#/components/schemas/Rooms" discriminator: propertyName: facet mapping: @@ -1301,11 +1313,11 @@ components: - time_ms DetailsResponse: allOf: - - $ref: '#/components/schemas/BaseDetailsResponse' + - $ref: "#/components/schemas/BaseDetailsResponse" - type: object properties: id: - description: 'The id, that was requested' + description: "The id, that was requested" type: string type: description: The type of the entry @@ -1318,9 +1330,9 @@ components: - site - campus coords: - $ref: '#/components/schemas/Coordinate' + $ref: "#/components/schemas/Coordinate" maps: - $ref: '#/components/schemas/Maps' + $ref: "#/components/schemas/Maps" required: - id - type @@ -1328,11 +1340,11 @@ components: - maps RootResponse: allOf: - - $ref: '#/components/schemas/BaseDetailsResponse' + - $ref: "#/components/schemas/BaseDetailsResponse" - type: object properties: id: - description: 'The id, that was requested' + description: "The id, that was requested" type: string enum: - root @@ -1353,7 +1365,7 @@ components: name: description: The name of the entry in a human-readable form type: string - example: '5602.EG.001 (MI HS 1, Friedrich L. Bauer Hörsaal)' + example: "5602.EG.001 (MI HS 1, Friedrich L. Bauer Hörsaal)" parents: type: array items: @@ -1371,13 +1383,13 @@ components: - Standorte - Garching Forschungszentrum props: - $ref: '#/components/schemas/Props' + $ref: "#/components/schemas/Props" imgs: type: array items: - $ref: '#/components/schemas/ImageInfo' + $ref: "#/components/schemas/ImageInfo" ranking_factors: - $ref: '#/components/schemas/RankingFactors' + $ref: "#/components/schemas/RankingFactors" required: - type_common_name - name @@ -1401,7 +1413,7 @@ components: type: integer format: int32 rank_boost: - description: | + description: | Automatic boost or suppression based on entry properties: - numbers of buildings for a `campus`/`area`/`site`, - numbers of seats for a `room`, @@ -1420,14 +1432,14 @@ components: type: object properties: token: - description: 'The token, that can be used to generate feedback' + description: "The token, that can be used to generate feedback" type: string - example: '999999999999999' + example: "999999999999999" maxLength: 15 minLength: 15 - pattern: '[0-9]+' + pattern: "[0-9]+" category: - description: | + description: | The category of the feedback. Enum attribute is softly enforced: Any value not listed below will be replaced by "other" type: string @@ -1480,7 +1492,7 @@ tags: - name: feedback description: the API to access/search for room information - name: health - description: 'These endpoints are used to check the health of the API, website and cdn' + description: "These endpoints are used to check the health of the API, website and cdn" externalDocs: description: Visit our Github Page for more in-depth documentation - url: 'https://github.com/TUM-Dev/navigatum' + url: "https://github.com/TUM-Dev/navigatum" diff --git a/server/src/core/search/mod.rs b/server/src/core/search/mod.rs index 6de000ed6..920e707c2 100644 --- a/server/src/core/search/mod.rs +++ b/server/src/core/search/mod.rs @@ -57,9 +57,14 @@ fn sanitise_args(args: SearchQueryArgs) -> (String, (String, String), SanitisedS limit_rooms: args.limit_rooms.unwrap_or(10).clamp(0, 1_000), limit_all: args.limit_all.unwrap_or(10).clamp(1, 1_000), }; - let highlighting = ( - args.pre_highlight.unwrap_or_else(|| "".to_string()), - args.post_highlight.unwrap_or_else(|| "".to_string()), + let mut highlighting = ( + args.pre_highlight.unwrap_or_else(|| "\u{0019}".to_string()), + args.post_highlight + .unwrap_or_else(|| "\u{0017}".to_string()), ); + // After 25 char this parameter kind of misses the point it tries to address. + // for DOS Reasons this is truncated + highlighting.0.truncate(25); + highlighting.1.truncate(25); (args.q, highlighting, sanitised_args) } diff --git a/webclient/src/modules/autocomplete.js b/webclient/src/modules/autocomplete.js index 94c19b25c..93375e32b 100644 --- a/webclient/src/modules/autocomplete.js +++ b/webclient/src/modules/autocomplete.js @@ -17,6 +17,13 @@ navigatum.registerModule( return visible; } + function _allowHighlighting(text) { + /// This function does still parse content only from our internal API (which should not try to pawn us in the + // first place), but for extra redundancy we sanitise this anyway. + // It is not done by Vue, as we use `v-html`-Tag to include it in the frontend. + const opt = new Option(text).innerHTML; + return opt.replaceAll("\x19", "").replaceAll("\x17", ""); + } function extractFacets(data) { const sections = []; @@ -26,11 +33,11 @@ navigatum.registerModule( section.entries.forEach((entry) => { entries.push({ id: entry.id, - name: entry.name, + name: _allowHighlighting(entry.name), // we explicitly dont let vue sanitise this text type: entry.type, subtext: entry.subtext, - subtext_bold: entry.subtext_bold, - parsed_id: entry.parsed_id, + subtext_bold: _allowHighlighting(entry.subtext_bold), // we explicitly dont let vue sanitise this text + parsed_id: _allowHighlighting(entry.parsed_id), // we explicitly dont let vue sanitise this text }); });