diff options
| author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2021-09-07 23:52:13 +0900 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2022-10-07 12:12:09 +0900 |
| commit | 39909d8c18ede7bb94bbcd0ad00d41b2f545528b (patch) | |
| tree | abe1a4f52b82555f21562d9467393756aa14b3d4 /lib/rdoc/generator/template/darkfish/js | |
| parent | a3cb09c7d17f2626ebd6eae774f0425d602ed95b (diff) | |
[ruby/rdoc] Escape search results
https://hackerone.com/reports/1321358
https://github.com/ruby/rdoc/commit/2ebf8fd510
Diffstat (limited to 'lib/rdoc/generator/template/darkfish/js')
| -rw-r--r-- | lib/rdoc/generator/template/darkfish/js/darkfish.js | 2 | ||||
| -rw-r--r-- | lib/rdoc/generator/template/darkfish/js/search.js | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js index 111bbf8eb9..d0c9467751 100644 --- a/lib/rdoc/generator/template/darkfish/js/darkfish.js +++ b/lib/rdoc/generator/template/darkfish/js/darkfish.js @@ -54,7 +54,7 @@ function hookSearch() { var html = ''; // TODO add relative path to <script> per-page - html += '<p class="search-match"><a href="' + index_rel_prefix + result.path + '">' + this.hlt(result.title); + html += '<p class="search-match"><a href="' + index_rel_prefix + this.escapeHTML(result.path) + '">' + this.hlt(result.title); if (result.params) html += '<span class="params">' + result.params + '</span>'; html += '</a>'; diff --git a/lib/rdoc/generator/template/darkfish/js/search.js b/lib/rdoc/generator/template/darkfish/js/search.js index b558ca5b4f..58e52afecf 100644 --- a/lib/rdoc/generator/template/darkfish/js/search.js +++ b/lib/rdoc/generator/template/darkfish/js/search.js @@ -101,7 +101,7 @@ Search.prototype = Object.assign({}, Navigation, new function() { } this.escapeHTML = function(html) { - return html.replace(/[&<>]/g, function(c) { + return html.replace(/[&<>"`']/g, function(c) { return '&#' + c.charCodeAt(0) + ';'; }); } |