From bceba4da066b16683a56423c52615d4d7e7ff957 Mon Sep 17 00:00:00 2001
From: Veloman Yunkan <veloman.yunkan@gmail.com>
Date: Sat, 6 Jan 2024 18:49:02 +0400
Subject: [PATCH] HTML-template data is HTML-encoded

Non-HTML-encoded HTML-template data causes problems in HTML
even when it appears inside JS string (resulting in the <script> tag being
closed by a </script> appearing inside a JS string).

Besides, the KIWIX_RESPONSE_DATA and KIWIX_RESPONSE_TEMPLATE variables
are set on the window object so that they can be accessed from the top
context.

This commit eliminates the need for the `escapeQuote` parameter in
`escapeForJSON()` (that was introduced earlier in this PR) since now it
is set to false in all call contexts. However from the consistency point
of view, the default and intuitive behaviour of `escapeForJSON()` should
be to escape the quote symbols, which justifies the existence of that
parameter.
---
 src/server/response.cpp     | 2 +-
 static/templates/error.html | 4 ++--
 test/response.cpp           | 8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/server/response.cpp b/src/server/response.cpp
index df3dc10ef..09dec8f7d 100644
--- a/src/server/response.cpp
+++ b/src/server/response.cpp
@@ -305,7 +305,7 @@ std::unique_ptr<ContentResponse> ContentResponseBlueprint::generateResponseObjec
 {
   kainjow::mustache::data d = m_data->toMustache(m_request.get_user_language());
   if ( m_includeKiwixResponseData ) {
-    d.set("KIWIX_RESPONSE_TEMPLATE", escapeForJSON(m_template));
+    d.set("KIWIX_RESPONSE_TEMPLATE", escapeForJSON(m_template, false));
     d.set("KIWIX_RESPONSE_DATA", m_data->asJSON());
   }
   auto r = ContentResponse::build(m_template, d, m_mimeType);
diff --git a/static/templates/error.html b/static/templates/error.html
index 66486b6ba..13fadc24c 100644
--- a/static/templates/error.html
+++ b/static/templates/error.html
@@ -6,8 +6,8 @@
 {{#CSS_URL}}
     <link type="text/css" href="{{{CSS_URL}}}" rel="Stylesheet" />
 {{/CSS_URL}}{{#KIWIX_RESPONSE_DATA}}    <script>
-      const KIWIX_RESPONSE_TEMPLATE = "{{{KIWIX_RESPONSE_TEMPLATE}}}";
-      const KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};
+      window.KIWIX_RESPONSE_TEMPLATE = "{{KIWIX_RESPONSE_TEMPLATE}}";
+      window.KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};
     </script>{{/KIWIX_RESPONSE_DATA}}
   </head>
   <body>
diff --git a/test/response.cpp b/test/response.cpp
index 61f92ab75..ca0ece39a 100644
--- a/test/response.cpp
+++ b/test/response.cpp
@@ -46,8 +46,8 @@ R"(<!DOCTYPE html>
     <title>Content not found</title>
     <link type="text/css" href="/css/error.css" rel="Stylesheet" />
     <script>
-      const KIWIX_RESPONSE_TEMPLATE = "<!DOCTYPE html>\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n  <head>\n    <meta content=\"text/html;charset=UTF-8\" http-equiv=\"content-type\" />\n    <title>{{PAGE_TITLE}}</title>\n{{#CSS_URL}}\n    <link type=\"text/css\" href=\"{{{CSS_URL}}}\" rel=\"Stylesheet\" />\n{{/CSS_URL}}{{#KIWIX_RESPONSE_DATA}}    <script>\n      const KIWIX_RESPONSE_TEMPLATE = \"{{{KIWIX_RESPONSE_TEMPLATE}}}\";\n      const KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};\n    </script>{{/KIWIX_RESPONSE_DATA}}\n  </head>\n  <body>\n    <h1>{{PAGE_HEADING}}</h1>\n{{#details}}\n    <p>\n      {{{p}}}\n    </p>\n{{/details}}\n  </body>\n</html>\n";
-      const KIWIX_RESPONSE_DATA = { "CSS_URL" : "/css/error.css", "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "asdf", "SEARCH_URL" : "/search?q=asdf" } } } ] };
+      window.KIWIX_RESPONSE_TEMPLATE = "&lt;!DOCTYPE html&gt;\n&lt;html xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;\n  &lt;head&gt;\n    &lt;meta content=&quot;text/html;charset=UTF-8&quot; http-equiv=&quot;content-type&quot; /&gt;\n    &lt;title&gt;{{PAGE_TITLE}}&lt;/title&gt;\n{{#CSS_URL}}\n    &lt;link type=&quot;text/css&quot; href=&quot;{{{CSS_URL}}}&quot; rel=&quot;Stylesheet&quot; /&gt;\n{{/CSS_URL}}{{#KIWIX_RESPONSE_DATA}}    &lt;script&gt;\n      window.KIWIX_RESPONSE_TEMPLATE = &quot;{{KIWIX_RESPONSE_TEMPLATE}}&quot;;\n      window.KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};\n    &lt;/script&gt;{{/KIWIX_RESPONSE_DATA}}\n  &lt;/head&gt;\n  &lt;body&gt;\n    &lt;h1&gt;{{PAGE_HEADING}}&lt;/h1&gt;\n{{#details}}\n    &lt;p&gt;\n      {{{p}}}\n    &lt;/p&gt;\n{{/details}}\n  &lt;/body&gt;\n&lt;/html&gt;\n";
+      window.KIWIX_RESPONSE_DATA = { "CSS_URL" : "/css/error.css", "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "asdf", "SEARCH_URL" : "/search?q=asdf" } } } ] };
     </script>
   </head>
   <body>
@@ -86,8 +86,8 @@ R"(<!DOCTYPE html>
     <title>[I18N TESTING] Not Found - Try Again</title>
     <link type="text/css" href="/css/error.css" rel="Stylesheet" />
     <script>
-      const KIWIX_RESPONSE_TEMPLATE = "<!DOCTYPE html>\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n  <head>\n    <meta content=\"text/html;charset=UTF-8\" http-equiv=\"content-type\" />\n    <title>{{PAGE_TITLE}}</title>\n{{#CSS_URL}}\n    <link type=\"text/css\" href=\"{{{CSS_URL}}}\" rel=\"Stylesheet\" />\n{{/CSS_URL}}{{#KIWIX_RESPONSE_DATA}}    <script>\n      const KIWIX_RESPONSE_TEMPLATE = \"{{{KIWIX_RESPONSE_TEMPLATE}}}\";\n      const KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};\n    </script>{{/KIWIX_RESPONSE_DATA}}\n  </head>\n  <body>\n    <h1>{{PAGE_HEADING}}</h1>\n{{#details}}\n    <p>\n      {{{p}}}\n    </p>\n{{/details}}\n  </body>\n</html>\n";
-      const KIWIX_RESPONSE_DATA = { "CSS_URL" : "/css/error.css", "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "asdf", "SEARCH_URL" : "/search?q=asdf" } } } ] };
+      window.KIWIX_RESPONSE_TEMPLATE = "&lt;!DOCTYPE html&gt;\n&lt;html xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;\n  &lt;head&gt;\n    &lt;meta content=&quot;text/html;charset=UTF-8&quot; http-equiv=&quot;content-type&quot; /&gt;\n    &lt;title&gt;{{PAGE_TITLE}}&lt;/title&gt;\n{{#CSS_URL}}\n    &lt;link type=&quot;text/css&quot; href=&quot;{{{CSS_URL}}}&quot; rel=&quot;Stylesheet&quot; /&gt;\n{{/CSS_URL}}{{#KIWIX_RESPONSE_DATA}}    &lt;script&gt;\n      window.KIWIX_RESPONSE_TEMPLATE = &quot;{{KIWIX_RESPONSE_TEMPLATE}}&quot;;\n      window.KIWIX_RESPONSE_DATA = {{{KIWIX_RESPONSE_DATA}}};\n    &lt;/script&gt;{{/KIWIX_RESPONSE_DATA}}\n  &lt;/head&gt;\n  &lt;body&gt;\n    &lt;h1&gt;{{PAGE_HEADING}}&lt;/h1&gt;\n{{#details}}\n    &lt;p&gt;\n      {{{p}}}\n    &lt;/p&gt;\n{{/details}}\n  &lt;/body&gt;\n&lt;/html&gt;\n";
+      window.KIWIX_RESPONSE_DATA = { "CSS_URL" : "/css/error.css", "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "asdf", "SEARCH_URL" : "/search?q=asdf" } } } ] };
     </script>
   </head>
   <body>