Sanitize search input (#3591)

* Sanitize search input

- Remove ASCII and unicode control characters

* js linting

* Simplified regex

* Sanitize modal form fields also

InvenTree/templates/js/translated/forms.js

@@ -1007,6 +1007,11 @@ function getFormFieldValue(name, field={}, options={}) {
             value = null;
         }
         break;
+    case 'string':
+    case 'url':
+    case 'email':
+        value = sanitizeInputString(el.val());
+        break;
     default:
         value = el.val();
         break;

InvenTree/templates/js/translated/helpers.js

@@ -10,6 +10,7 @@
     makeIconButton,
     makeProgressBar,
     renderLink,
+    sanitizeInputString,
     select2Thumbnail,
     setupNotesField,
     thumbnailImage
@@ -326,3 +327,24 @@ function setupNotesField(element, url, options={}) {
         });
     }
 }
+
+
+/*
+ * Sanitize a string provided by the user from an input field,
+ * e.g. data form or search box
+ *
+ * - Remove leading / trailing whitespace
+ * - Remove hidden control characters
+ */
+function sanitizeInputString(s, options={}) {
+
+    // Remove ASCII control characters
+    s = s.replace(/[\x01-\x1F]+/g, '');
+
+    // Remove non-printable characters
+    s = s.replace(/[^ -~]+/g, '');
+
+    s = s.trim();
+
+    return s;
+}

InvenTree/templates/js/translated/search.js

@@ -98,7 +98,9 @@ var searchQueries = [];
 
 function searchTextChanged(event) {
 
-    searchText = $('#offcanvas-search').find('#search-input').val();
+    var text = $('#offcanvas-search').find('#search-input').val();
+
+    searchText = sanitizeInputString(text);
 
     clearTimeout(searchInputTimer);
     searchInputTimer = setTimeout(updateSearch, 250);