Skip to content

Commit

Permalink
Prevent HTML/XSS Injection in Scala Search (#19980)
Browse files Browse the repository at this point in the history 
This PR fixes the `_layouts/search.html` file to use `innerText` rather
than `innerHTML`. This will prevent the ability to inject HTML/XSS into
the code of the page.
[Cherry-picked 4554131]
  • Loading branch information
@RedYetiDev @WojciechMazur
RedYetiDev authored and WojciechMazur committed Jul 3, 2024
1 parent 344f907 commit 22a5408
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/_layouts/search.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ <h2 class="d-none d-md-block">Member Results</h2>

// Set search term and title:
var searchTerm = decodeURIComponent(parameters["searchTerm"]);
document.getElementById("searching-for").innerHTML = 'Search results for "' + searchTerm + '"';
document.getElementById("searching-for").innerText = 'Search results for "' + searchTerm + '"';
document.title = searchTerm + ' - Search results';

if (!window.Worker) {
document.getElementById("searching-for").innerHTML =
document.getElementById("searching-for").innerText =
"Couldn't search for \"" + searchTerm + "\", " +
"web workers not supported. Please update your browser.";
}
Expand Down

0 comments on commit 22a5408

Please sign in to comment.