Merge pull request #1360 from jediwhale/master

Search string is not escaped in search page title

Author: Mike Stockdale

src/fitnesse/responders/search/SearchResponder.java

@@ -5,6 +5,7 @@
 import java.util.regex.Pattern;
 
 import fitnesse.components.TraversalListener;
+import fitnesse.html.HtmlUtil;
 import fitnesse.wiki.WikiPage;
 import fitnesse.wiki.search.PageFinder;
 import fitnesse.wiki.search.RegularExpressionWikiPageFinder;
@@ -29,7 +30,7 @@ private String getSearchType() {
       return "Content";
   }
 
- 
+
   protected String getPageFooterInfo(int hits) {
     return "Found " + hits + " results for your search.";
   }
@@ -41,7 +42,9 @@ protected String getTemplate() {
 
   @Override
   protected String getTitle() {
-    return (request.getInput("searchType") == null) ? "Search Form" : getSearchType() + " Search Results for '" + getSearchString() + "'";
+    return (request.getInput("searchType") == null)
+      ? "Search Form"
+      : getSearchType() + " Search Results for '" + HtmlUtil.escapeHTML(getSearchString()) + "'";
   }
 
   @Override

test/fitnesse/responders/search/SearchResponderTest.java

@@ -76,7 +76,7 @@ public void testNoSearchStringBringsUpNoResults() throws Exception {
   @Test
   public void testEscapesSearchString() throws Exception {
     String content = getResponseContentUsingSearchString("!+-<&>");
-    assertSubString("!+-<&>", content);
+    assertSubString("<title>Content Search Results for '!+-&lt;&amp;&gt;'</title>", content);
   }
 
   private String getResponseContentUsingSearchString(String searchString) throws Exception {