From 7fe066b4ea2deea4232dcf0eaf30f02427e81e00 Mon Sep 17 00:00:00 2001
From: Ben Busby <noreply+git@benbusby.com>
Date: Mon, 1 Nov 2021 15:34:59 -0600
Subject: [PATCH] Escape result html after bolding search terms

Fixes #518
---
 app/routes.py        | 2 +-
 app/utils/results.py | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/routes.py b/app/routes.py
index b6e6f45..6e96a61 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -275,7 +275,7 @@ def search():
         is_translation=any(
             _ in query.lower() for _ in [translation['translate'], 'translate']
         ) and not search_util.search_type,  # Standard search queries only
-        response=html.unescape(str(response)),
+        response=response,
         version_number=app.config['VERSION_NUMBER'],
         search_header=(render_template(
             'header.html',
diff --git a/app/utils/results.py b/app/utils/results.py
index e04b629..76cb2cb 100644
--- a/app/utils/results.py
+++ b/app/utils/results.py
@@ -1,4 +1,5 @@
 from bs4 import BeautifulSoup, NavigableString
+import html
 import os
 import urllib.parse as urlparse
 from urllib.parse import parse_qs
@@ -56,11 +57,11 @@ def bold_search_terms(response: str, query: str) -> BeautifulSoup:
                 element.parent and element.parent.name == 'style'):
             return
 
-        element.replace_with(
+        element.replace_with(BeautifulSoup(
             re.sub(fr'\b((?![{{}}<>-]){target_word}(?![{{}}<>-]))\b',
                    r'<b>\1</b>',
-                   element,
-                   flags=re.I)
+                   html.escape(element),
+                   flags=re.I), 'html.parser')
         )
 
     # Split all words out of query, grouping the ones wrapped in quotes