penal-colony/samsa
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: extract only hostname for favicon data-domain
Some checks failed
Build and Push Docker Image / build-and-push (push) Failing after 7s
Details
Mirror to GitHub / mirror (push) Failing after 5s
Details
Tests / test (push) Successful in 27s
Details

Browse source 
data-domain was set to the full result URL (https://en.wikipedia.org/...).
This caused /favicon/ to receive malformed domain strings.

Now extracts u.Hostname() in FromResponse and passes it as Domain
to result_item.html.
This commit is contained in:
Franz Kafka 2026-03-23 14:56:51 +00:00
parent b57a041b6a
commit 8f2fd671f1
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/views/templates/result_item.html
View file

@ -4,7 +4,7 @@
<a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.SafeTitle}}</a> <a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.SafeTitle}}</a>
</div> </div>
<div class="result_url"> <div class="result_url">
<img class="result-favicon" data-domain="{{.URL}}" src="" alt="" loading="lazy" style="display:none"> <img class="result-favicon" data-domain="{{.Domain}}" src="" alt="" loading="lazy" style="display:none">
<a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.URL}}</a> <a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.URL}}</a>
<span class="engine-badge" data-engine="{{.Engine}}">{{.Engine}}</span> <span class="engine-badge" data-engine="{{.Engine}}">{{.Engine}}</span>
</div> </div>

8
internal/views/views.go
View file

@ -23,6 +23,7 @@ import (
"html/template" "html/template"
"io/fs" "io/fs"
"net/http" "net/http"
"net/url"
"strconv" "strconv"
"strings" "strings"
@ -71,6 +72,8 @@ type ResultView struct {
// TemplateName is the actual template to dispatch to, computed from Template. // TemplateName is the actual template to dispatch to, computed from Template.
// "videos" maps to "video_item", everything else maps to "result_item". // "videos" maps to "video_item", everything else maps to "result_item".
TemplateName string TemplateName string
// Domain is the hostname extracted from the result URL, used for favicon proxying.
Domain string
// SafeTitle and SafeContent are HTML-unescaped versions for rendering. // SafeTitle and SafeContent are HTML-unescaped versions for rendering.
// The API returns HTML entities which Go templates escape by default. // The API returns HTML entities which Go templates escape by default.
SafeTitle template.HTML SafeTitle template.HTML
@ -205,14 +208,19 @@ func FromResponse(resp contracts.SearchResponse, query string, pageno int, activ
tmplName = "video_item" tmplName = "video_item"
} }
// Sanitize URLs to prevent javascript:/data: scheme injection. // Sanitize URLs to prevent javascript:/data: scheme injection.
var domain string
if r.URL != nil { if r.URL != nil {
safe := util.SanitizeResultURL(*r.URL) safe := util.SanitizeResultURL(*r.URL)
r.URL = &safe r.URL = &safe
if u, err := url.Parse(safe); err == nil {
domain = u.Hostname()
}
} }
r.Thumbnail = util.SanitizeResultURL(r.Thumbnail) r.Thumbnail = util.SanitizeResultURL(r.Thumbnail)
pd.Results[i] = ResultView{ pd.Results[i] = ResultView{
MainResult: r, MainResult: r,
TemplateName: tmplName, TemplateName: tmplName,
Domain: domain,
SafeTitle: template.HTML(html.UnescapeString(r.Title)), SafeTitle: template.HTML(html.UnescapeString(r.Title)),
SafeContent: template.HTML(html.UnescapeString(r.Content)), SafeContent: template.HTML(html.UnescapeString(r.Content)),
} }