1 files changed, 8 insertions, 2 deletions

diff --git a/searcher.js b/searcher.js
index 7fd97d4..d2b0aee 100644
--- a/searcher.js
+++ b/searcher.js
@@ -145,6 +145,11 @@ window.search = window.search || {};
             url.push("");
         }
 
+        // encodeURIComponent escapes all chars that could allow an XSS except
+        // for '. Due to that we also manually replace ' with its url-encoded
+        // representation (%27).
+        var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
+
         return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1]
             + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>'
             + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">' 
@@ -291,7 +296,7 @@ window.search = window.search || {};
         }
 
         if (url.params.hasOwnProperty(URL_MARK_PARAM)) {
-            var words = url.params[URL_MARK_PARAM].split(' ');
+            var words = decodeURIComponent(url.params[URL_MARK_PARAM]).split(' ');
             marker.mark(words, {
                 exclude: mark_exclude
             });
@@ -311,7 +316,7 @@ window.search = window.search || {};
     
     // Eventhandler for keyevents on `document`
     function globalKeyHandler(e) {
-        if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea') { return; }
+        if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea' || e.target.type === 'text') { return; }
 
         if (e.keyCode === ESCAPE_KEYCODE) {
             e.preventDefault();
@@ -422,6 +427,7 @@ window.search = window.search || {};
             delete url.params[URL_MARK_PARAM];
             url.hash = "";
         } else {
+            delete url.params[URL_MARK_PARAM];
             delete url.params[URL_SEARCH_PARAM];
         }
         // A new search will also add a new history item, so the user can go back