Fixed RXSS vulnerability in search results

2024-11-23 23:21:00 +01:00 · 2024-08-19 13:28:56 +02:00 · 2024-08-19 13:28:56 +02:00 · a06cf106ab
commit a06cf106ab
parent 89c1d1cdc5
5 changed files with 36 additions and 35 deletions
--- a/material/templates/assets/javascripts/bundle.20f8b5b3.min.js
+++ b/material/templates/assets/javascripts/bundle.20f8b5b3.min.js
--- a/material/templates/assets/javascripts/bundle.471ce7a9.min.js
+++ b/material/templates/assets/javascripts/bundle.471ce7a9.min.js
--- a/material/templates/assets/javascripts/bundle.471ce7a9.min.js.map
+++ b/material/templates/assets/javascripts/bundle.471ce7a9.min.js.map
--- a/material/templates/base.html
+++ b/material/templates/base.html
@ -249,7 +249,7 @@
      </script>
    {% endblock %}
    {% block scripts %}
-      <script src="{{ 'assets/javascripts/bundle.20f8b5b3.min.js' | url }}"></script>
+      <script src="{{ 'assets/javascripts/bundle.471ce7a9.min.js' | url }}"></script>
      {% for script in config.extra_javascript %}
        {{ script | script_tag }}
      {% endfor %}
--- a/src/templates/assets/javascripts/templates/search/index.tsx
+++ b/src/templates/assets/javascripts/templates/search/index.tsx
@ -20,6 +20,7 @@
 * IN THE SOFTWARE.
 */

+import escapeHTML from "escape-html"
 import { ComponentChild } from "preact"

 import { configuration, feature, translation } from "~/_"
@ -60,7 +61,7 @@ function renderSearchDocument(
  const missing = Object.keys(document.terms)
    .filter(key => !document.terms[key])
    .reduce<ComponentChild[]>((list, key) => [
-      ...list, <del>{key}</del>, " "
+      ...list, <del>{escapeHTML(key)}</del>, " "
    ], [])
    .slice(0, -1)