diff options
author | Pietro Albini <pietro@pietroalbini.org> | 2020-12-30 22:13:15 +0100 |
---|---|---|
committer | Eric Huss <eric@huss.org> | 2021-01-04 07:14:57 -0800 |
commit | 32abeef088e98327ca0dfccdad92e84afa9d2e9b (patch) | |
tree | 5c91e77a92e75476e763404c5ad7a41d7df1c68b | |
parent | 5de9b6841ed03c8149eeec3c8a5fcd40b5d4dbe0 (diff) |
fix xss in the search page
Thanks to Kamil Vavra for responsibly disclosing the vulnerability
according to Rust's Security Policy.
-rw-r--r-- | src/theme/searcher/searcher.js | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/theme/searcher/searcher.js b/src/theme/searcher/searcher.js index e1cc806b..acf3d50c 100644 --- a/src/theme/searcher/searcher.js +++ b/src/theme/searcher/searcher.js @@ -145,6 +145,11 @@ window.search = window.search || {}; url.push(""); } + // encodeURIComponent escapes all chars that could allow an XSS except + // for '. Due to that we also manually replace ' with its url-encoded + // representation (%27). + var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27"); + return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1] + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>' + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">' |