fixed XSS vuln in searchbox

ultrakain · Oct 8, 2014 · b40b3b4 · b40b3b4
1 parent 9c7ea33
commit b40b3b4
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/source/javascripts/app/search.js b/source/javascripts/app/search.js
@@ -53,7 +53,7 @@
         });
         highlight.call(this);
       } else {
-        searchResults.html('<li>No Results Found for "' + this.value + '"</li>');
+        searchResults.html('<li>No Results Found for "' + this.value.escapeHTML() + '"</li>');
       }
     } else {
       unhighlight();
@@ -69,4 +69,19 @@
     content.unhighlight(highlightOpts);
   }
 
+  var __entityMap = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': '&quot;',
+    "'": '&#39;',
+    "/": '&#x2F;'
+  };
+
+  String.prototype.escapeHTML = function() {
+      return String(this).replace(/[&<>"'\/]/g, function (s) {
+        return __entityMap[s];
+      });
+  }
+
 })(window);