From 09f1e000734bc431ec7b63e18959bf6f34f9c179 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 23 May 2017 21:53:57 +0000
Subject: www: do not mangle characters from search queries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
  https://public-inbox.org/meta/CACBZZX5Gnow08r=0A1J_kt3a=zpGyMfvsqu8nAN7kacNnDm+dg@mail.gmail.com/
---
 t/psgi_search.t | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 t/psgi_search.t

(limited to 't/psgi_search.t')

diff --git a/t/psgi_search.t b/t/psgi_search.t
new file mode 100644
index 00000000..cc9c9cf4
--- /dev/null
+++ b/t/psgi_search.t
@@ -0,0 +1,71 @@
+# Copyright (C) 2017 all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use strict;
+use warnings;
+use Test::More;
+use File::Temp qw/tempdir/;
+use Email::MIME;
+use PublicInbox::Config;
+use PublicInbox::WWW;
+my @mods = qw(PublicInbox::SearchIdx HTTP::Request::Common Plack::Test
+		URI::Escape Plack::Builder);
+foreach my $mod (@mods) {
+	eval "require $mod";
+	plan skip_all => "$mod missing for psgi_search.t" if $@;
+}
+use_ok $_ foreach @mods;
+my $tmpdir = tempdir('pi-psgi-search.XXXXXX', TMPDIR => 1, CLEANUP => 1);
+my $git_dir = "$tmpdir/a.git";
+
+is(0, system(qw(git init -q --bare), $git_dir), "git init (main)");
+my $rw = PublicInbox::SearchIdx->new($git_dir, 1);
+ok($rw, "search indexer created");
+my $data = <<'EOF';
+Subject: test
+Message-Id: <utf8@example>
+From: Ævar Arnfjörð Bjarmason <avarab@example>
+To: git@vger.kernel.org
+
+EOF
+
+my $num = 0;
+# nb. using internal API, fragile!
+my $xdb = $rw->_xdb_acquire;
+$xdb->begin_transaction;
+
+foreach (reverse split(/\n\n/, $data)) {
+	$_ .= "\n";
+	my $mime = Email::MIME->new(\$_);
+	my $bytes = bytes::length($mime->as_string);
+	my $doc_id = $rw->add_message($mime, $bytes, ++$num, 'ignored');
+	my $mid = $mime->header('Message-Id');
+	ok($doc_id, 'message added: '. $mid);
+}
+
+$xdb->commit_transaction;
+$rw = undef;
+
+my $cfgpfx = "publicinbox.test";
+my $config = PublicInbox::Config->new({
+	"$cfgpfx.address" => 'git@vger.kernel.org',
+	"$cfgpfx.mainrepo" => $git_dir,
+});
+my $www = PublicInbox::WWW->new($config);
+test_psgi(sub { $www->call(@_) }, sub {
+	my ($cb) = @_;
+	my $res;
+	$res = $cb->(GET('/test/?q=%C3%86var'));
+	my $html = $res->content;
+	like($html, qr/<title>&#198;var - /, 'HTML escaped in title');
+	my @res = ($html =~ m/\?q=(.+var)\b/g);
+	ok(scalar(@res), 'saw query strings');
+	my %uniq = map { $_ => 1 } @res;
+	is(1, scalar keys %uniq, 'all query values identical in HTML');
+	is('%C3%86var', (keys %uniq)[0], 'matches original query');
+	ok(index($html, 'by &#198;var Arnfj&#246;r&#240; Bjarmason') >= 0,
+		"displayed Ævar's name properly in HTML");
+});
+
+done_testing();
+
+1;
-- 
cgit v1.2.3-24-ge0c7