From d67f65019ea0e3a132836048ccfd60b0a02d98d4 Mon Sep 17 00:00:00 2001
From: Francesco Siddi <francesco.siddi@gmail.com>
Date: Wed, 31 May 2017 17:14:14 +0200
Subject: [PATCH] Escape HTML when displaying search results

---
 src/scripts/tutti/4_search.js       | 4 ++--
 src/templates/nodes/search.jade     | 4 ++--
 src/templates/projects/sharing.jade | 4 +++-
 src/templates/users/index.jade      | 6 +++---
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/scripts/tutti/4_search.js b/src/scripts/tutti/4_search.js
index 8b498fbd..867beddf 100644
--- a/src/scripts/tutti/4_search.js
+++ b/src/scripts/tutti/4_search.js
@@ -37,10 +37,10 @@ $(document).ready(function() {
 								hitFree +
 							'</div>' +
 							'<div class="search-hit-name" title="' + hit.name + '">' +
-								hit._highlightResult.name.value + ' ' +
+								hit.name + ' ' +
 							'</div>' +
 							'<div class="search-hit-meta">' +
-								'<span class="project">' + hit._highlightResult.project.name.value + '</span> · ' +
+								'<span class="project">' + hit.project.name + '</span> · ' +
 								'<span class="node_type">' + hit.node_type + '</span>' +
 								hitMedia +
 							'</div>' +
diff --git a/src/templates/nodes/search.jade b/src/templates/nodes/search.jade
index 7d90ff03..7bad1347 100644
--- a/src/templates/nodes/search.jade
+++ b/src/templates/nodes/search.jade
@@ -134,9 +134,9 @@ script(type="text/template", id="hit-template")
 				span free
 			| {{/is_free}}
 		.search-hit-name
-			| {{{ _highlightResult.name.value }}}
+			| {{ name }}
 		.search-hit-meta
-			span.project {{{ project.name }}} ·
+			span.project {{ project.name }}
 			span.node_type {{{ node_type }}}
 			| {{#media}}
 			span.media · {{{ media }}}
diff --git a/src/templates/projects/sharing.jade b/src/templates/projects/sharing.jade
index e69be3dc..9a91d50f 100644
--- a/src/templates/projects/sharing.jade
+++ b/src/templates/projects/sharing.jade
@@ -96,7 +96,9 @@ script.
 				limit: 10,
 				templates: {
 					suggestion: function (hit) {
-						return hit._highlightResult.full_name.value + ' (' + hit._highlightResult.username.value + ')';
+						var suggestion = hit.full_name + ' (' + hit.username + ')';
+						var $p = $('p').text(suggestion);
+						return $p.html();
 					}
 				}
 			}
diff --git a/src/templates/users/index.jade b/src/templates/users/index.jade
index 52f487ef..a0c8a157 100644
--- a/src/templates/users/index.jade
+++ b/src/templates/users/index.jade
@@ -55,10 +55,10 @@ script(type="text/template", id="facet-template")
 script(type="text/template", id="hit-template")
 	.search-hit.users(data-user-id='{{ objectID }}')
 		.search-hit-name
-			| {{{ _highlightResult.full_name.value }}}
-			small ({{{ username }}})
+			| {{ full_name }}
+			small ({{ username }})
 		.search-hit-roles
-			| {{{ roles }}}
+			| {{ roles }}
 
 
 // Pagination template