🩹 Attempt to fix JS server-side request forgery

Author: stoe

api/javascript/search/server.js

@@ -66,18 +66,20 @@ class Server {
     });
 
     app.get('/search/:query', async (req, res) => {
-      res.send(await this.searchQuery(req.params.query));
+      const search = encodeURIComponent(req.params.query)
+
+      res.send(await this.searchQuery(search));
     });
-    
+
     app.get('/state', async (req, res) => {
       res.send(await this.getState());
     });
-    
+
     app.post('/hooks', (req, res) => {
       res.send(200);
     });
   }
-  
+
   // We could filter out the properties that we don't want the frontend to have
   async getState() {
     await this.refreshState();