🐛 Fix: unencoded Content in Search Leads to JavaScript Execution Risk…

… in autocomplete-js Fixes #416
hugo-fixit · Apr 25, 2024 · f4e8bab · f4e8bab
1 parent 1ed0acd
commit f4e8bab
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/assets/js/theme.js b/assets/js/theme.js
@@ -233,7 +233,7 @@ class FixIt {
                 const results = {};
                 window._index.search(query).forEach(({ item, refIndex, matches }) => {
                   let title = item.title;
-                  let content = item.content;
+                  let content = item.content.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
                   matches.forEach(({ indices, value, key }) => {
                     if (key === 'content') {
                       let offset = 0;