From 14b7bf262820dc5e0480d2c21f366552575b42c6 Mon Sep 17 00:00:00 2001
From: Dominika Liberda <dominika@sakamoto.pl>
Date: Thu, 18 Feb 2021 00:21:25 +0100
Subject: [PATCH] - XSS in search

---
 webroot/search.shs | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/webroot/search.shs b/webroot/search.shs
index fcd194b..0111aae 100755
--- a/webroot/search.shs
+++ b/webroot/search.shs
@@ -3,18 +3,22 @@
 meta[title]="youtube but not really"
 source templates/head.sh
 
-echo "<form action='${r[url]}/search.shs'>
-<input name='q' type='text'>
-<input type='submit' value='Search'>
-</form>
-"
 
-if [[ ${get_data[q]} ]]; then
-	query=${get_data[q]}
-	query_nice=$(echo ${get_data[q]} | sed -s 's/+/ /g')
 
-	echo "<p>Searching for '$query_nice'</p>"
+if [[ "${get_data[q]}" ]]; then
+	query="${get_data[q]}"
+	query_nice=$(sed -s 's/+/ /g' <<< "${get_data[q]}")
+	echo "<form action='/search.shs'>
+	<input name='q' type='text' value='$(html_encode "$query_nice")'>"
+else
+	echo "<form action='/search.shs'>
+	<input name='q' type='text'>"
+fi
 
+echo "<input type='submit' value='Search'>
+</form><br>"
+
+if [[ "${get_data[q]}" ]]; then
 	data=$(haruhi-dl "ytsearch30:${get_data[q]}" --flat-playlist -J | jq '.entries[]')
 
 	IFS=$'\n'