From d198cbe65f064575df1ab02415980d6e44363bf9 Mon Sep 17 00:00:00 2001
From: Sandro Gauci <sandro@enablesecurity.com>
Date: Thu, 1 Apr 2021 01:48:33 +0200
Subject: [PATCH] fix potential XSS in search (#492)

mostly it looks like a self-XSS but still good to fix
---
 static/js/search.js | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/static/js/search.js b/static/js/search.js
index d7b893e0c1..2bf49c46fe 100644
--- a/static/js/search.js
+++ b/static/js/search.js
@@ -75,15 +75,18 @@ $( document ).ready(function() {
                 "(?:\\s?(?:[\\w]+)\\s?){0,"+numContextWords+"}" +
                     term+"(?:\\s?(?:[\\w]+)\\s?){0,"+numContextWords+"}");
             item.context = text;
-            return '<div class="autocomplete-suggestion" ' +
-                'data-term="' + term + '" ' +
-                'data-title="' + item.title + '" ' +
-                'data-uri="'+ item.uri + '" ' +
-                'data-context="' + item.context + '">' +
-                '» ' + item.title +
-                '<div class="context">' +
-                (item.context || '') +'</div>' +
-                '</div>';
+            var divcontext = document.createElement("div");
+            divcontext.className = "context";
+            divcontext.innerText = (item.context || '');
+            var divsuggestion = document.createElement("div");
+            divsuggestion.className = "autocomplete-suggestion";
+            divsuggestion.setAttribute("data-term", term);
+            divsuggestion.setAttribute("data-title", item.title);
+            divsuggestion.setAttribute("data-uri", item.uri);
+            divsuggestion.setAttribute("data-context", item.context);
+            divsuggestion.innerText = '» ' + item.title;
+            divsuggestion.appendChild(divcontext);
+            return divsuggestion.outerHTML;
         },
         /* onSelect callback fires when a search suggestion is chosen */
         onSelect: function(e, term, item) {