From e6225bd8b5e6a15151aed7dc3b1b5fa3d106a6d8 Mon Sep 17 00:00:00 2001
From: Oliver <oliver.henry.walters@gmail.com>
Date: Wed, 21 Sep 2022 11:59:54 +1000
Subject: [PATCH] Form field sanitization (#3699)

* Sanitize input string when using select2 search on forms

* CSS tweaks for images in card view
---
 InvenTree/InvenTree/static/css/inventree.css | 5 +++++
 InvenTree/templates/js/translated/forms.js   | 3 ++-
 InvenTree/templates/js/translated/helpers.js | 4 ++++
 InvenTree/templates/js/translated/part.js    | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/InvenTree/InvenTree/static/css/inventree.css b/InvenTree/InvenTree/static/css/inventree.css
index c6dded3071..4c827d39a7 100644
--- a/InvenTree/InvenTree/static/css/inventree.css
+++ b/InvenTree/InvenTree/static/css/inventree.css
@@ -839,6 +839,11 @@ input[type="submit"] {
     padding: 10px;
 }
 
+.card-thumb {
+    max-width: 64px;
+    max-height: 64px;
+}
+
 .float-right {
     float: right;
 }
diff --git a/InvenTree/templates/js/translated/forms.js b/InvenTree/templates/js/translated/forms.js
index 093a471cca..da9e2b0686 100644
--- a/InvenTree/templates/js/translated/forms.js
+++ b/InvenTree/templates/js/translated/forms.js
@@ -1727,7 +1727,8 @@ function initializeRelatedField(field, fields, options={}) {
                 var query = field.filters || {};
 
                 // Add search and pagination options
-                query.search = params.term;
+                query.search = sanitizeInputString(params.term);
+
                 query.offset = offset;
                 query.limit = pageSize;
 
diff --git a/InvenTree/templates/js/translated/helpers.js b/InvenTree/templates/js/translated/helpers.js
index 2f1619c906..2a2b8b23ae 100644
--- a/InvenTree/templates/js/translated/helpers.js
+++ b/InvenTree/templates/js/translated/helpers.js
@@ -379,6 +379,10 @@ function setupNotesField(element, url, options={}) {
  */
 function sanitizeInputString(s, options={}) {
 
+    if (!s) {
+        return s;
+    }
+
     // Remove ASCII control characters
     s = s.replace(/[\x01-\x1F]+/g, '');
 
diff --git a/InvenTree/templates/js/translated/part.js b/InvenTree/templates/js/translated/part.js
index 3e305301a3..b3c291b98a 100644
--- a/InvenTree/templates/js/translated/part.js
+++ b/InvenTree/templates/js/translated/part.js
@@ -1356,7 +1356,7 @@ function partGridTile(part) {
             <div class='panel-content'>
                 <div class='row'>
                     <div class='col-sm-4'>
-                        <img src='${part.thumbnail}' style='width: 100%;' class='card-thumb' onclick='showModalImage("${part.image}")'>
+                        <img src='${part.thumbnail}' class='card-thumb' onclick='showModalImage("${part.image}")'>
                     </div>
                     <div class='col-sm-8'>
                         <table class='table table-striped table-condensed'>