Bump 0.4.5

fix xss in the search page
Thanks to Kamil Vavra for responsibly disclosing the vulnerability according to Rust's Security Policy.
2021-01-04 07:03:20 -08:00 · 2021-01-04 07:01:49 -08:00
3 changed files with 7 additions and 2 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -723,7 +723,7 @@ checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08"

 [[package]]
 name = "mdbook"
-version = "0.4.4"
+version = "0.4.5"
 dependencies = [
 "ammonia",
 "anyhow",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "mdbook"
-version = "0.4.4"
+version = "0.4.5"
 authors = [
    "Mathieu David <mathieudavid@mathieudavid.org>",
    "Michael-F-Bryan <michaelfbryan@gmail.com>",
--- a/src/theme/searcher/searcher.js
+++ b/src/theme/searcher/searcher.js
@ -145,6 +145,11 @@ window.search = window.search || {};
            url.push("");
        }

+        // encodeURIComponent escapes all chars that could allow an XSS except
+        // for '. Due to that we also manually replace ' with its url-encoded
+        // representation (%27).
+        var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
+
        return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1]
            + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>'
            + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">'
Author	SHA1	Message	Date
Eric Huss	f66df09324	Bump 0.4.5	2021-01-04 07:03:20 -08:00
Pietro Albini	648c9ae772	fix xss in the search page Thanks to Kamil Vavra for responsibly disclosing the vulnerability according to Rust's Security Policy.	2021-01-04 07:01:49 -08:00