fix potential XSS in search (#492)

mostly it looks like a self-XSS but still good to fix
2024-11-27 09:43:06 +00:00 · 2021-04-01 01:48:33 +02:00 · 2021-04-01 01:48:33 +02:00 · d198cbe65f
commit d198cbe65f
parent d7a4481ff2
1 changed files with 12 additions and 9 deletions
--- a/static/js/search.js
+++ b/static/js/search.js
@ -75,15 +75,18 @@ $( document ).ready(function() {
                "(?:\\s?(?:[\\w]+)\\s?){0,"+numContextWords+"}" +
                    term+"(?:\\s?(?:[\\w]+)\\s?){0,"+numContextWords+"}");
            item.context = text;
-            return '<div class="autocomplete-suggestion" ' +
+            var divcontext = document.createElement("div");
-                'data-term="' + term + '" ' +
+            divcontext.className = "context";
-                'data-title="' + item.title + '" ' +
+            divcontext.innerText = (item.context || '');
-                'data-uri="'+ item.uri + '" ' +
+            var divsuggestion = document.createElement("div");
-                'data-context="' + item.context + '">' +
+            divsuggestion.className = "autocomplete-suggestion";
-                '» ' + item.title +
+            divsuggestion.setAttribute("data-term", term);
-                '<div class="context">' +
+            divsuggestion.setAttribute("data-title", item.title);
-                (item.context || '') +'</div>' +
+            divsuggestion.setAttribute("data-uri", item.uri);
-                '</div>';
+            divsuggestion.setAttribute("data-context", item.context);
            divsuggestion.innerText = '» ' + item.title;
            divsuggestion.appendChild(divcontext);
            return divsuggestion.outerHTML;
        },
        /* onSelect callback fires when a search suggestion is chosen */
        onSelect: function(e, term, item) {