From 204f39ef12822f1163c34d47226e9236e723c633 Mon Sep 17 00:00:00 2001
From: legobeat <109787230+legobeat@users.noreply.github.com>
Date: Fri, 16 Dec 2022 20:28:13 +0000
Subject: [PATCH] ui: make settings search regex range explicit (#16903)

* ui: make settings search regex range explicit

- Addresses CodeQL advisory #31
- Removes `][^ as valid characters

* ui: settings-search: ignore leading/trailing whitespace
---
 ui/pages/settings/settings-search/settings-search.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ui/pages/settings/settings-search/settings-search.js b/ui/pages/settings/settings-search/settings-search.js
index 6f37e399c..545068aa5 100644
--- a/ui/pages/settings/settings-search/settings-search.js
+++ b/ui/pages/settings/settings-search/settings-search.js
@@ -42,10 +42,9 @@ export default function SettingsSearch({
   });
 
   const handleSearch = (_searchQuery) => {
-    const sanitizedSearchQuery = _searchQuery.replace(
-      /[^A-z0-9\s&]|[\\]/gu,
-      '',
-    );
+    const sanitizedSearchQuery = _searchQuery
+      .replace(/[^A-Za-z0-9\s&_]/gu, '')
+      .trim();
     setSearchQuery(sanitizedSearchQuery);
     if (sanitizedSearchQuery === '') {
       setSearchIconColor('var(--color-icon-muted)');