hexpm · aenglisc · Jan 21, 2020 · Jan 21, 2020 · Jan 21, 2020 · ericmj
diff --git a/lib/diff_web/live/search_view.ex b/lib/diff_web/live/search_view.ex
@@ -5,16 +5,27 @@ defmodule DiffWeb.SearchLiveView do
     DiffWeb.SearchView.render("search.html", assigns)
   end
 
+  @valid_query ~r{^[a-zA-Z0-9_]+$}
+
   def mount(_session, socket) do
     {:ok, reset_state(socket)}
   end
 
   def handle_event("search", %{"q" => ""}, socket), do: {:noreply, reset_state(socket)}
 
+  def handle_event("search", %{"q" => query}, socket)
+      when byte_size(query) > 30 do
+    {:noreply, socket}
+  end
+
   def handle_event("search", %{"q" => query}, socket) do
-    query = String.downcase(query)
-    send(self(), {:search, query})
-    {:noreply, assign(socket, query: query)}
+    if String.match?(query, @valid_query) do
+      query = String.downcase(query)
+      send(self(), {:search, query})
+      {:noreply, assign(socket, query: query)}
+    else
+      {:noreply, socket}
+    end
   end
 
   def handle_event("search_" <> suggestion, _params, socket) do
@@ -30,22 +41,15 @@ defmodule DiffWeb.SearchLiveView do
     index_of_selected_from = Enum.find_index(releases, &(&1 == from))
     to_releases = Enum.slice(releases, (index_of_selected_from + 1)..-1)
 
-    {:noreply,
-     assign(socket,
-       from: from,
-       to_releases: to_releases
-     )}
+    {:noreply, assign(socket, from: from, to_releases: to_releases)}
   end
 
   def handle_event(
         "select_version",
         %{"_target" => ["to"], "to" => to},
         socket
       ) do
-    {:noreply,
-     assign(socket,
-       to: to
-     )}
+    {:noreply, assign(socket, to: to)}
   end
 
   def handle_event("go", _params, %{assigns: %{result: result, to: to, from: from}} = socket)

diff --git a/test/diff_web/live/search_view_test.exs b/test/diff_web/live/search_view_test.exs
@@ -53,6 +53,36 @@ defmodule DiffWeb.SearchLiveViewTest do
       refute rendered =~ ~s(Package phoenix not found.)
     end
 
+    test "do not search if the query is too long", %{conn: conn} do
+      {:ok, view, _html} = live(conn, "/")
+
+      Diff.Package.StoreMock
+      |> expect(:get_names, fn -> ["phoenix", "phoenix_live_view"] end)
+      |> expect(:get_versions, fn "phoenix" -> {:ok, ["1.4.10", "1.4.11"]} end)
+      |> allow(self(), view.pid)
+
+      send(view.pid, {:search, "phoenix"})
+      rendered = render(view)
+
+      assert rendered =~
+               render_change(view, "search", %{"q" => "phoenix_phoenix_phoenix_phoenix_phoenix"})
+    end
+
+    test "do not search if the query has invalid characters", %{conn: conn} do
+      {:ok, view, _html} = live(conn, "/")
+
+      Diff.Package.StoreMock
+      |> expect(:get_names, fn -> ["phoenix", "phoenix_live_view"] end)
+      |> expect(:get_versions, fn "phoenix" -> {:ok, ["1.4.10", "1.4.11"]} end)
+      |> allow(self(), view.pid)
+
+      send(view.pid, {:search, "phoenix"})
+      rendered = render(view)
+
+      assert rendered =~ render_change(view, "search", %{"q" => "phoenix-"})
+      assert rendered =~ render_change(view, "search", %{"q" => "phoenixё"})
+    end
+
     test "clicking diff", %{conn: conn} do
       {:ok, view, _html} = live(conn, "/")