i2psnark: Rename search param to bypass the XSS filter

Fix encode/decode search param
Copy CSS to non-default themes, not tweaked yet
Add support for shorter nf_ prefix to XSS filter
Remove unneeded float_right, reported by drzed

apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

@@ -387,13 +387,12 @@ public class I2PSnarkServlet extends BasicServlet {
         out.write("</div>\n");
 
         if (!isConfigure) {
-            String search = req.getParameter("s");
+            String search = req.getParameter("nf_s");
             if (_manager.getTorrents().size() > 1 || (search != null && search.length() > 0)) {
                 out.write("<form class=\"search\" id = \"search\" action=\"" + _contextPath + "\" method=\"GET\">" +
-                          "<input type=\"text\" name=\"s\" size=\"20\" class=\"search\" id=\"searchbox\"");
-                String s = req.getParameter("s");
-                if (s != null)
-                    out.write(" value=\"" + DataHelper.escapeHTML(s) + '"');
+                          "<input type=\"text\" name=\"nf_s\" size=\"20\" class=\"search\" id=\"searchbox\"");
+                if (search != null)
+                    out.write(" value=\"" + DataHelper.escapeHTML(search) + '"');
                 out.write(">" +
                           "<input type=\"reset\" class=\"cancel\" id=\"searchcancel\" value=\"\">" +
                           "</form>\n");
@@ -507,7 +506,7 @@ public class I2PSnarkServlet extends BasicServlet {
 
         // search
         boolean isSearch = false;
-        String search = req.getParameter("s");
+        String search = req.getParameter("nf_s");
         if (search != null && search.length() > 0) {
             List<Snark> matches = search(search, snarks);
             if (matches != null) {
@@ -851,12 +850,17 @@ public class I2PSnarkServlet extends BasicServlet {
     /**
      *  search torrents for matching terms
      *
-     *  @param search non-null
-     *  @param snarks unmodified
-     *  @return null if no valid search, or matching torrents in same order
+     *  @param search non-null and %-encoded, will be decoded here
+     *  @param snarks unmodified, order will be honored
+     *  @return null if not a valid search, or matching torrents in same order, possibly empty
      *  @since 0.9.58
      */
     private static List<Snark> search(String search, Collection<Snark> snarks) {
+        try {
+            search = decodePath(search);
+        } catch (IOException ioe) {
+            return null;
+        }
         List<String> searchList = null;
         String[] terms = DataHelper.split(search, " ");
         for (int i = 0; i < terms.length; i++) {
@@ -927,7 +931,7 @@ public class I2PSnarkServlet extends BasicServlet {
                .append(action).append("\" >\n");
         } else {
             // for buttons, keep the search term
-            String sParam = req.getParameter("s");
+            String sParam = req.getParameter("nf_s");
             if (sParam != null) {
                 buf.append("<input type=\"hidden\" name=\"s\" value=\"")
                    .append(DataHelper.escapeHTML(sParam)).append("\" >\n");
@@ -987,15 +991,15 @@ public class I2PSnarkServlet extends BasicServlet {
             buf.append(st);
         }
         if (s == null) {
-            s = req.getParameter("s");
+            s = req.getParameter("nf_s");
             if (s != null)
                 s = DataHelper.escapeHTML(s);
         }
         if (s != null && !s.equals("")) {
             if (buf.length() <= 0)
-                buf.append("?s=");
+                buf.append("?nf_s=");
             else
-                buf.append("&amp;s=");
+                buf.append("&amp;nf_s=");
             buf.append(s);
         }
         return buf.toString();
@@ -1555,7 +1559,7 @@ public class I2PSnarkServlet extends BasicServlet {
                 _manager.addMessage(_t("Error creating torrent - you must enter a file or directory"));
             }
         } else if ("StopAll".equals(action)) {
-            String search = req.getParameter("s");
+            String search = req.getParameter("nf_s");
             if (search != null && search.length() > 0) {
                 List<Snark> matches = search(search, _manager.getTorrents());
                 if (matches != null) {
@@ -1567,7 +1571,7 @@ public class I2PSnarkServlet extends BasicServlet {
             }
             _manager.stopAllTorrents(false);
         } else if ("StartAll".equals(action)) {
-            String search = req.getParameter("s");
+            String search = req.getParameter("nf_s");
             if (search != null && search.length() > 0) {
                 List<Snark> matches = search(search, _manager.getTorrents());
                 if (matches != null) {

apps/i2psnark/resources/js/initajax.js

@@ -29,12 +29,12 @@ function requestAjax2(refreshtime) {
                 query = "";
             }
             var q = new URLSearchParams(query);
-            q.set("s", search);
+            q.set("nf_s", encodeURIComponent(search));
             query = "?" + q.toString();
         } else {
             if (query != null) {
                 var q = new URLSearchParams(query);
-                q.delete("s");
+                q.delete("nf_s");
                 var newq = q.toString();
                 if (newq != null && newq.length > 0) {
                     query = "?" + newq;

apps/i2psnark/resources/themes/dark/snark.css

@@ -224,6 +224,27 @@ _:-ms-lang(x), .snarknavbar {
      margin-top: 0 !important;
 }
 
+#search {
+     display: inline-block;
+     position: absolute;
+     top: 6px;
+     right: 3px;
+}
+
+#searchbox {
+     background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important;
+     margin: 2px 4px 2px 24px !important;
+     padding: 4px 32px 4px 32px !important;
+     color: black;
+}
+
+#searchcancel {
+     background: url(images/cancel.png);
+     margin: 2px 4px 2px -28px;
+     color: transparent;
+     border: none;
+}
+
 /* end topnav */
 
 /* screenlog */

apps/i2psnark/resources/themes/light/snark.css

@@ -229,6 +229,27 @@ button::-moz-focus-inner, input::-moz-focus-inner {
      background: #f60 url(images/button_tracker_active.png) 8px center no-repeat;
 }
 
+#search {
+     display: inline-block;
+     position: absolute;
+     top: 6px;
+     right: 3px;
+}
+
+#searchbox {
+     background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important;
+     margin: 2px 4px 2px 24px !important;
+     padding: 4px 32px 4px 32px !important;
+     color: black;
+}
+
+#searchcancel {
+     background: url(images/cancel.png);
+     margin: 2px 4px 2px -28px;
+     color: transparent;
+     border: none;
+}
+
 /* end top nav */
 
 /* screenlog */

apps/i2psnark/resources/themes/ubergine/snark.css

@@ -231,7 +231,6 @@ _:-ms-lang(x), .snarkNav:last-child[href="/i2psnark/"] {
 
 #search {
      display: inline-block;
-     float: right;
      position: absolute;
      top: 6px;
      right: 3px;

apps/i2psnark/resources/themes/vanilla/snark.css

@@ -272,6 +272,27 @@ _:-ms-lang(x), .snarkNav:link, .snarkNav:visited {
      transition: ease box-shadow 0.1s;
 }
 
+#search {
+     display: inline-block;
+     position: absolute;
+     top: 6px;
+     right: 3px;
+}
+
+#searchbox {
+     background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important;
+     margin: 2px 4px 2px 24px !important;
+     padding: 4px 32px 4px 32px !important;
+     color: black;
+}
+
+#searchcancel {
+     background: url(images/cancel.png);
+     margin: 2px 4px 2px -28px;
+     color: transparent;
+     border: none;
+}
+
 /* end topnav */
 
 /* screenlog */

apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java

@@ -26,6 +26,8 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
     private static final Pattern parameterValuePattern = Pattern.compile(SystemVersion.isWindows() ? WIN_PATTERN : NON_WIN_PATTERN);
     private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ \"]*$");
     private static final String NOFILTER = "nofilter_";
+    // shorter flavor
+    private static final String NOFILTER2 = "nf_";
 
     public XSSRequestWrapper(HttpServletRequest servletRequest) {
         super(servletRequest);
@@ -33,11 +35,12 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
 
     /**
      *  Parameter names starting with "nofilter_" will not be filtered.
+     *  As of 0.9.58, names starting with "nf_" will not be filtered.
      */
     @Override
     public String[] getParameterValues(String parameter) {
         String[] values = super.getParameterValues(parameter);
-        if (parameter.startsWith(NOFILTER))
+        if (parameter.startsWith(NOFILTER) || parameter.startsWith(NOFILTER2))
             return values;
 
         if (values == null) {
@@ -70,11 +73,12 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
 
     /**
      *  Parameter names starting with "nofilter_" will not be filtered.
+     *  As of 0.9.58, names starting with "nf_" will not be filtered.
      */
     @Override
     public String getParameter(String parameter) {
         String value = super.getParameter(parameter);
-        if (parameter.startsWith(NOFILTER))
+        if (parameter.startsWith(NOFILTER) || parameter.startsWith(NOFILTER2))
             return value;
         String rv = stripXSS(value, parameterValuePattern);
         if (value != null && rv == null) {
@@ -86,6 +90,7 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
 
     /**
      *  Parameter names starting with "nofilter_" will not be filtered.
+     *  As of 0.9.58, names starting with "nf_" will not be filtered.
      */
     @Override
     public Map<String, String[]> getParameterMap() {