From 25b609d0c70d49dd62479ce03578704e62712bd8 Mon Sep 17 00:00:00 2001 From: johannst Date: Tue, 23 Aug 2022 19:48:10 +0000 Subject: deploy: 6f6fef7bb61712038220a7607447d38689ad6978 --- searcher.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'searcher.js') diff --git a/searcher.js b/searcher.js index 7fd97d4..d2b0aee 100644 --- a/searcher.js +++ b/searcher.js @@ -145,6 +145,11 @@ window.search = window.search || {}; url.push(""); } + // encodeURIComponent escapes all chars that could allow an XSS except + // for '. Due to that we also manually replace ' with its url-encoded + // representation (%27). + var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27"); + return '' + result.doc.breadcrumbs + '' + '' @@ -291,7 +296,7 @@ window.search = window.search || {}; } if (url.params.hasOwnProperty(URL_MARK_PARAM)) { - var words = url.params[URL_MARK_PARAM].split(' '); + var words = decodeURIComponent(url.params[URL_MARK_PARAM]).split(' '); marker.mark(words, { exclude: mark_exclude }); @@ -311,7 +316,7 @@ window.search = window.search || {}; // Eventhandler for keyevents on `document` function globalKeyHandler(e) { - if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea') { return; } + if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea' || e.target.type === 'text') { return; } if (e.keyCode === ESCAPE_KEYCODE) { e.preventDefault(); @@ -422,6 +427,7 @@ window.search = window.search || {}; delete url.params[URL_MARK_PARAM]; url.hash = ""; } else { + delete url.params[URL_MARK_PARAM]; delete url.params[URL_SEARCH_PARAM]; } // A new search will also add a new history item, so the user can go back -- cgit v1.2.3