From d81dbc44b80c061bcea7efeb778be45082e1dcc6 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 1 Apr 2025 09:39:16 +0200
Subject: Fix escaping of tag search (#7468)

* Fix escaping of tag search
fix https://github.com/FreshRSS/FreshRSS/issues/7466

* Minor clarity
---
 app/Controllers/tagController.php                 |  5 +++++
 app/views/helpers/index/normal/entry_bottom.phtml |  3 ++-
 app/views/helpers/index/tags.phtml                | 14 +++++++++-----
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/app/Controllers/tagController.php b/app/Controllers/tagController.php
index cb3f164f5..68047656e 100644
--- a/app/Controllers/tagController.php
+++ b/app/Controllers/tagController.php
@@ -204,4 +204,9 @@ class FreshRSS_tag_Controller extends FreshRSS_ActionController {
 		$tagDAO = FreshRSS_Factory::createTagDao();
 		$this->view->tags = $tagDAO->listTags(precounts: true);
 	}
+
+	public static function escapeForSearch(string $tag): string {
+		$tag = htmlspecialchars_decode($tag, ENT_QUOTES);
+		return str_replace([' ', '(', ')'], ['+', '\\(', '\\)'], $tag);
+	}
 }
diff --git a/app/views/helpers/index/normal/entry_bottom.phtml b/app/views/helpers/index/normal/entry_bottom.phtml
index f3c363275..380d00318 100644
--- a/app/views/helpers/index/normal/entry_bottom.phtml
+++ b/app/views/helpers/index/normal/entry_bottom.phtml
@@ -56,7 +56,8 @@
 				<li class="dropdown-header"><?= _t('index.tag.related') ?></li>
 				<?php
 				foreach ($tags as $tag) {
-					?><li class="item"><a href="<?= _url('index', 'index', 'search', '#' . str_replace(' ', '+', htmlspecialchars_decode($tag, ENT_QUOTES))) ?>"><?= $tag ?></a></li><?php
+					?><li class="item"><a href="<?= _url('index', 'index', 'search', '#' .
+						FreshRSS_tag_Controller::escapeForSearch($tag)) ?>"><?= $tag ?></a></li><?php
 				} ?>
 			</ul>
 			<a class="dropdown-close" href="#close">❌</a>
diff --git a/app/views/helpers/index/tags.phtml b/app/views/helpers/index/tags.phtml
index 2c5804372..ffb2d6f72 100644
--- a/app/views/helpers/index/tags.phtml
+++ b/app/views/helpers/index/tags.phtml
@@ -11,11 +11,13 @@
 	<?= _i('tag') ?><ul class="list-tags">
 	<?php if (Minz_Request::controllerName() === 'index'): ?>
 		<?php foreach ($firstTags as $tag): ?>
-		<li class="item tag"><a class="link-tag" href="<?= _url('index', 'index', 'search', '#' . str_replace(' ', '+', htmlspecialchars_decode($tag, ENT_QUOTES))) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
+		<li class="item tag"><a class="link-tag" href="<?= _url('index', 'index', 'search', '#' .
+			FreshRSS_tag_Controller::escapeForSearch($tag)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
 		<?php endforeach; ?>
 	<?php else: // API public access ?>
 		<?php foreach ($firstTags as $tag): ?>
-		<li class="item tag"><a class="link-tag" href="<?= $this->html_url . '&search=%23' . str_replace(' ', '+', htmlspecialchars_decode($tag, ENT_QUOTES)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
+		<li class="item tag"><a class="link-tag" href="<?= $this->html_url . '&search=' .
+			urlencode('#' . FreshRSS_tag_Controller::escapeForSearch($tag)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
 		<?php endforeach; ?>
 	<?php endif; ?>
 
@@ -29,11 +31,13 @@
 					<li class="dropdown-header"><?= _t('index.tag.related') ?></li>
 					<?php if (Minz_Request::controllerName() === 'index'): ?>
 						<?php foreach ($remainingTags as $tag): ?>
-						<li class="item"><a href="<?= _url('index', 'index', 'search', '#' . str_replace(' ', '+', htmlspecialchars_decode($tag, ENT_QUOTES))) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
+						<li class="item"><a href="<?= _url('index', 'index', 'search', '#' .
+							FreshRSS_tag_Controller::escapeForSearch($tag)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
 						<?php endforeach; ?>
-					<?php else: ?>
+					<?php else: // API public access ?>
 						<?php foreach ($remainingTags as $tag): ?>
-						<li class="item tag"><a class="link-tag" href="<?= $this->html_url . '&search=%23' . str_replace(' ', '+', htmlspecialchars_decode($tag, ENT_QUOTES)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
+						<li class="item tag"><a class="link-tag" href="<?= $this->html_url . '&search=' .
+							urlencode('#' . FreshRSS_tag_Controller::escapeForSearch($tag)) ?>" title="<?= _t('gen.action.filter') ?>">#<?= $tag ?></a></li>
 						<?php endforeach; ?>
 					<?php endif; ?>
 				</ul>
-- 
cgit v1.2.3