The search implementation in js/search.js is currently vulnerable to Reflected XSS. Specifically, the user-supplied query is directly concatenated into the innerHTML of the search results container without any sanitization or escaping.
A malicious actor could craft a URL containing a payload like <img src=x onerror=alert(1)> which would execute arbitrary JavaScript in the user's browser when the search results are rendered.
I've already prepared a fix that introduces a helper function to escape HTML entities and applies it to the query before rendering.
function escapeHTML(str) {
if (!str) return '';
return str.replace(/[&<>"']/g, function (m) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
}[m];
});
}This ensures that both the "no results" hint and the highlighted matches are handled safely.
The search implementation in
js/search.jsis currently vulnerable to Reflected XSS. Specifically, the user-suppliedqueryis directly concatenated into theinnerHTMLof the search results container without any sanitization or escaping.A malicious actor could craft a URL containing a payload like
<img src=x onerror=alert(1)>which would execute arbitrary JavaScript in the user's browser when the search results are rendered.I've already prepared a fix that introduces a helper function to escape HTML entities and applies it to the query before rendering.
This ensures that both the "no results" hint and the highlighted matches are handled safely.