diff --git a/InvenTree/templates/js/translated/forms.js b/InvenTree/templates/js/translated/forms.js index 5c0daa8fd0..c3669e5cd4 100644 --- a/InvenTree/templates/js/translated/forms.js +++ b/InvenTree/templates/js/translated/forms.js @@ -1007,6 +1007,11 @@ function getFormFieldValue(name, field={}, options={}) { value = null; } break; + case 'string': + case 'url': + case 'email': + value = sanitizeInputString(el.val()); + break; default: value = el.val(); break; diff --git a/InvenTree/templates/js/translated/helpers.js b/InvenTree/templates/js/translated/helpers.js index 67a6ccae7f..8860906e8c 100644 --- a/InvenTree/templates/js/translated/helpers.js +++ b/InvenTree/templates/js/translated/helpers.js @@ -10,6 +10,7 @@ makeIconButton, makeProgressBar, renderLink, + sanitizeInputString, select2Thumbnail, setupNotesField, thumbnailImage @@ -326,3 +327,24 @@ function setupNotesField(element, url, options={}) { }); } } + + +/* + * Sanitize a string provided by the user from an input field, + * e.g. data form or search box + * + * - Remove leading / trailing whitespace + * - Remove hidden control characters + */ +function sanitizeInputString(s, options={}) { + + // Remove ASCII control characters + s = s.replace(/[\x01-\x1F]+/g, ''); + + // Remove non-printable characters + s = s.replace(/[^ -~]+/g, ''); + + s = s.trim(); + + return s; +} diff --git a/InvenTree/templates/js/translated/search.js b/InvenTree/templates/js/translated/search.js index fbadaf7fe2..8143487723 100644 --- a/InvenTree/templates/js/translated/search.js +++ b/InvenTree/templates/js/translated/search.js @@ -98,7 +98,9 @@ var searchQueries = []; function searchTextChanged(event) { - searchText = $('#offcanvas-search').find('#search-input').val(); + var text = $('#offcanvas-search').find('#search-input').val(); + + searchText = sanitizeInputString(text); clearTimeout(searchInputTimer); searchInputTimer = setTimeout(updateSearch, 250);