fix xss in the search page

Thanks to Kamil Vavra for responsibly disclosing the vulnerability according to Rust's Security Policy.
2020-12-30 22:13:15 +01:00 · 2020-12-30 22:13:15 +01:00 · 32abeef088
parent 5de9b6841e
commit 32abeef088
1 changed files with 5 additions and 0 deletions
--- a/src/theme/searcher/searcher.js
+++ b/src/theme/searcher/searcher.js
@ -145,6 +145,11 @@ window.search = window.search || {};
            url.push("");
        }

+        // encodeURIComponent escapes all chars that could allow an XSS except
+        // for '. Due to that we also manually replace ' with its url-encoded
+        // representation (%27).
+        var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
+
        return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1]
            + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>'
            + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">'