Fixed RXSS vulnerability in search results

squidfunk · Aug 19, 2024 · a06cf10 · a06cf10
1 parent 89c1d1c
commit a06cf10
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 35 deletions.
diff --git a/material/templates/assets/javascripts/bundle.20f8b5b3.min.js b/material/templates/assets/javascripts/bundle.20f8b5b3.min.js
diff --git a/material/templates/assets/javascripts/bundle.471ce7a9.min.js b/material/templates/assets/javascripts/bundle.471ce7a9.min.js
diff --git a/...ts/javascripts/bundle.20f8b5b3.min.js.map → ...ts/javascripts/bundle.471ce7a9.min.js.map b/...ts/javascripts/bundle.20f8b5b3.min.js.map → ...ts/javascripts/bundle.471ce7a9.min.js.map
diff --git a/material/templates/base.html b/material/templates/base.html
@@ -249,7 +249,7 @@
       </script>
     {% endblock %}
     {% block scripts %}
-      <script src="{{ 'assets/javascripts/bundle.20f8b5b3.min.js' | url }}"></script>
+      <script src="{{ 'assets/javascripts/bundle.471ce7a9.min.js' | url }}"></script>
       {% for script in config.extra_javascript %}
         {{ script | script_tag }}
       {% endfor %}

diff --git a/src/templates/assets/javascripts/templates/search/index.tsx b/src/templates/assets/javascripts/templates/search/index.tsx
@@ -20,6 +20,7 @@
  * IN THE SOFTWARE.
  */
 
+import escapeHTML from "escape-html"
 import { ComponentChild } from "preact"
 
 import { configuration, feature, translation } from "~/_"
@@ -60,7 +61,7 @@ function renderSearchDocument(
   const missing = Object.keys(document.terms)
     .filter(key => !document.terms[key])
     .reduce<ComponentChild[]>((list, key) => [
-      ...list, <del>{key}</del>, " "
+      ...list, <del>{escapeHTML(key)}</del>, " "
     ], [])
     .slice(0, -1)