diff options
| author | johannst <johannst@users.noreply.github.com> | 2022-08-23 19:48:10 +0000 |
|---|---|---|
| committer | johannst <johannst@users.noreply.github.com> | 2022-08-23 19:48:10 +0000 |
| commit | 25b609d0c70d49dd62479ce03578704e62712bd8 (patch) | |
| tree | f9c761f5c72ded4cf9c31bad9f15109cf810b55c /searcher.js | |
| parent | f647a8c45dda58078c86a96c68ae00ea1c69a222 (diff) | |
| download | notes-25b609d0c70d49dd62479ce03578704e62712bd8.tar.gz notes-25b609d0c70d49dd62479ce03578704e62712bd8.zip | |
deploy: 6f6fef7bb61712038220a7607447d38689ad6978
Diffstat (limited to 'searcher.js')
| -rw-r--r-- | searcher.js | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/searcher.js b/searcher.js index 7fd97d4..d2b0aee 100644 --- a/searcher.js +++ b/searcher.js @@ -145,6 +145,11 @@ window.search = window.search || {}; url.push(""); } + // encodeURIComponent escapes all chars that could allow an XSS except + // for '. Due to that we also manually replace ' with its url-encoded + // representation (%27). + var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27"); + return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1] + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>' + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">' @@ -291,7 +296,7 @@ window.search = window.search || {}; } if (url.params.hasOwnProperty(URL_MARK_PARAM)) { - var words = url.params[URL_MARK_PARAM].split(' '); + var words = decodeURIComponent(url.params[URL_MARK_PARAM]).split(' '); marker.mark(words, { exclude: mark_exclude }); @@ -311,7 +316,7 @@ window.search = window.search || {}; // Eventhandler for keyevents on `document` function globalKeyHandler(e) { - if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea') { return; } + if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea' || e.target.type === 'text') { return; } if (e.keyCode === ESCAPE_KEYCODE) { e.preventDefault(); @@ -422,6 +427,7 @@ window.search = window.search || {}; delete url.params[URL_MARK_PARAM]; url.hash = ""; } else { + delete url.params[URL_MARK_PARAM]; delete url.params[URL_SEARCH_PARAM]; } // A new search will also add a new history item, so the user can go back |