Search highlighting is prone to regular expression injection

[tobyzerner]

Whatever you enter in the search field is being put unescaped into a regular expression to locally highlight matches. For example:

https://discuss.flarum.org/?q=test%20%5Bblah%5D%2B%20test

You can also easily crash the search by typing an invalid pattern:

https://discuss.flarum.org/?q=test%20%2B%20test

[DanielTheGeek]

It's very inappropriate to post security bugs on the issue tracker page. You should have mailed the development team instead.

[luceos]

@DanielTheGeek thanks for your concern, I'd like to kindly point out that:

• @tobscure is the project owner and belongs to the active core developer team.
• this bug is not affecting other users, it only affects yourself.

[DanielTheGeek]

Oh, okay... thanks for pointing that out.

[sijad]

lodash has a escapeRegExp method, we can use that or something like (suggested at https://stackoverflow.com/a/6969486):

function escapeRegExp(str) {
  return str.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
}

which one do you think is better?

[tobyzerner]

@sijad lodash sounds good, just make sure Webpack tree shakes properly :)

[dsevillamartin]

I cannot reproduce this in the latest dev-master.

[tobyzerner]

@datitisev it's not enough to just visit a search URL; you need to actually type a phrase into the search box for it to be parsed as a regular expression.

[dsevillamartin]

@tobscure Ah, the issue was that no discussions or posts matched the query. Now I can reproduce it.
Related to #1539, may want to escape regex in #1539 instead of the current solution.