fix xss in dictionary, ip, and stackexchange

meow

src/engines/answer/dictionary.rs

@@ -73,6 +73,7 @@ pub fn parse_response(HttpResponse { res, body }: &HttpResponse) -> eyre::Result
 
     html.push_str(&format!(
         "<h2 class=\"answer-dictionary-word\"><a href=\"https://en.wiktionary.org/wiki/{mediawiki_key}\">{word}</a></h2>",
+        mediawiki_key = html_escape::encode_text(mediawiki_key),
         word = html_escape::encode_text(&word),
     ));
 

src/engines/answer/ip.rs

@@ -9,5 +9,8 @@ pub fn request(query: &SearchQuery) -> EngineResponse {
 
     let ip = &query.ip;
 
-    EngineResponse::answer_html(format!(r#"<h3><b>{ip}</b></h3>"#))
+    EngineResponse::answer_html(format!(
+        r#"<h3><b>{ip}</b></h3>"#,
+        ip = html_escape::encode_text(ip)
+    ))
 }

src/engines/answer/useragent.rs

@@ -12,7 +12,10 @@ pub fn request(query: &SearchQuery) -> EngineResponse {
     let user_agent = query.request_headers.get("user-agent");
 
     EngineResponse::answer_html(if let Some(user_agent) = user_agent {
-        format!("<h3><b>{user_agent}</b></h3>")
+        format!(
+            "<h3><b>{user_agent}</b></h3>",
+            user_agent = html_escape::encode_text(user_agent)
+        )
     } else {
         "You don't have a user agent".to_string()
     })

src/engines/postsearch/stackexchange.rs

@@ -48,6 +48,11 @@ pub fn parse_response(body: &str) -> Option<String> {
         .html()
         .to_string();
 
+    let answer_html = ammonia::Builder::default()
+        .url_relative(ammonia::UrlRelative::RewriteWithBase(url.clone()))
+        .clean(&answer_html)
+        .to_string();
+
     let url = format!("{url}#{answer_id}");
 
     Some(format!(