Fix code scanning alert no. 3: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
GSA · Dec 17, 2024 · e221b5d · e221b5d
1 parent b758999
commit e221b5d
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/search/index.html b/search/index.html
@@ -18,7 +18,7 @@
   fetch(searchEndpoint).then(function(res) {
       return res.json()
     }).then(function(posts) {
-      document.getElementById('search-params').innerHTML = urlParams.get('query');
+      document.getElementById('search-params').innerHTML = encodeHTML(urlParams.get('query'));
       if (posts.web.results.length > 0) {
         document.getElementById('search-results').classList.remove('display-none');
         document.getElementById('no-results').classList.add('display-none');
@@ -48,6 +48,13 @@
       document.getElementById('search-results').innerHTML = (append == true) ? previous + content : content;
     }
 
+    function encodeHTML(str) {
+      return str.replace(/&/g, '&amp;')
+                .replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;')
+                .replace(/"/g, '&quot;')
+                .replace(/'/g, '&#39;');
+    }
 //]]>
 </script>