diff options
| author | Adrien Tétar <adri-from-59@hotmail.fr> | 2014-05-02 11:32:41 +0200 |
|---|---|---|
| committer | Adrien Tétar <adri-from-59@hotmail.fr> | 2014-05-02 20:41:09 +0200 |
| commit | 5f0a426f65953bbf011b051528a6e6fe234ddecb (patch) | |
| tree | 2e75a27b9671cd2676d4a1d30312b8f7f612f73b /src/librustdoc/html/static | |
| parent | 9f484e616e8731c3fd9346460a71156ddba454b4 (diff) | |
| download | rust-5f0a426f65953bbf011b051528a6e6fe234ddecb.tar.gz rust-5f0a426f65953bbf011b051528a6e6fe234ddecb.zip | |
rustdoc: escape shown input to prevent injection
Diffstat (limited to 'src/librustdoc/html/static')
| -rw-r--r-- | src/librustdoc/html/static/main.js | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/librustdoc/html/static/main.js b/src/librustdoc/html/static/main.js index 21d57a17c67..9243f72dab7 100644 --- a/src/librustdoc/html/static/main.js +++ b/src/librustdoc/html/static/main.js @@ -386,12 +386,16 @@ }); } + function escape(content) { + return $('<h1/>').text(content).html(); + } + function showResults(results) { var output, shown, query = getQuery(); currentResults = query.id; - output = '<h1>Results for ' + query.query + - (query.type ? ' (type: ' + query.type + ')' : '') + '</h1>'; + output = '<h1>Results for ' + escape(query.query) + + (query.type ? ' (type: ' + escape(query.type) + ')' : '') + '</h1>'; output += '<table class="search-results">'; if (results.length > 0) { @@ -650,4 +654,3 @@ window.initSearch = initSearch; }()); - |