Escape search results

nobu · nobu · commit 2ebf8fd51005 · 2022-10-07T11:47:13.000+09:00
https://hackerone.com/reports/1321358
diff --git a/lib/rdoc/generator/template/darkfish/_head.rhtml b/lib/rdoc/generator/template/darkfish/_head.rhtml
@@ -3,18 +3,18 @@
 <title><%= h @title %></title>
 
 <script type="text/javascript">
-  var rdoc_rel_prefix = "<%= asset_rel_prefix %>/";
-  var index_rel_prefix = "<%= rel_prefix %>/";
+  var rdoc_rel_prefix = "<%= h asset_rel_prefix %>/";
+  var index_rel_prefix = "<%= h rel_prefix %>/";
 </script>
 
-<script src="<%= asset_rel_prefix %>/js/navigation.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/search.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/search_index.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/searcher.js" defer></script>
-<script src="<%= asset_rel_prefix %>/js/darkfish.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/navigation.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/search.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/search_index.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/searcher.js" defer></script>
+<script src="<%= h asset_rel_prefix %>/js/darkfish.js" defer></script>
 
-<link href="<%= asset_rel_prefix %>/css/fonts.css" rel="stylesheet">
-<link href="<%= asset_rel_prefix %>/css/rdoc.css" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/css/fonts.css" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/css/rdoc.css" rel="stylesheet">
 <%- @options.template_stylesheets.each do |stylesheet| -%>
-<link href="<%= asset_rel_prefix %>/<%= File.basename stylesheet %>" rel="stylesheet">
+<link href="<%= h asset_rel_prefix %>/<%= File.basename stylesheet %>" rel="stylesheet">
 <%- end -%>
diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js
@@ -54,7 +54,7 @@ function hookSearch() {
     var html = '';
 
     // TODO add relative path to <script> per-page
-    html += '<p class="search-match"><a href="' + index_rel_prefix + result.path + '">' + this.hlt(result.title);
+    html += '<p class="search-match"><a href="' + index_rel_prefix + this.escapeHTML(result.path) + '">' + this.hlt(result.title);
     if (result.params)
       html += '<span class="params">' + result.params + '</span>';
     html += '</a>';
diff --git a/lib/rdoc/generator/template/darkfish/js/search.js b/lib/rdoc/generator/template/darkfish/js/search.js
@@ -101,7 +101,7 @@ Search.prototype = Object.assign({}, Navigation, new function() {
   }
 
   this.escapeHTML = function(html) {
-    return html.replace(/[&<>]/g, function(c) {
+    return html.replace(/[&<>"`']/g, function(c) {
       return '&#' + c.charCodeAt(0) + ';';
     });
   }

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ Search.prototype = Object.assign({}, Navigation, new function() {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`this.escapeHTML = function(html) {`
`104`		`- return html.replace(/[&<>]/g, function(c) {`
	`104`	+ return html.replace(/[&<>"`']/g, function(c) {
`105`	`105`	`return '&#' + c.charCodeAt(0) + ';';`
`106`	`106`	`});`
`107`	`107`	`}`