fixed XSS vuln in searchbox

b40b3b47 · Kevin Adams · 9c7ea333 · b40b3b47
Commit b40b3b47 authored Oct 08, 2014 by Kevin Adams
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletion

search.js source/javascripts/app/search.js +16 -1

No files found.
--- a/source/javascripts/app/search.js
+++ b/source/javascripts/app/search.js
@@ -53,7 +53,7 @@
        });
        highlight.call(this);
      } else {
-        searchResults.html('<li>No Results Found for "' + this.value + '"</li>');
+        searchResults.html('<li>No Results Found for "' + this.value.escapeHTML() + '"</li>');
      }
    } else {
      unhighlight();
@@ -69,4 +69,19 @@
    content.unhighlight(highlightOpts);
  }

+  var __entityMap = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': '&quot;',
+    "'": '&#39;',
+    "/": '&#x2F;'
+  };
+
+  String.prototype.escapeHTML = function() {
+      return String(this).replace(/[&<>"'\/]/g, function (s) {
+        return __entityMap[s];
+      });
+  }
+
 })(window);