Fixed: XSS vulnerability in the navbar search. (#2505)

Fixes #2503
2024-11-04 10:02:40 +01:00 · 2018-02-12 05:20:55 +13:00 · 2018-02-12 05:20:55 +13:00 · 3ed0652feb
commit 3ed0652feb
parent f4e2a510f2
1 changed files with 3 additions and 1 deletions
--- a/src/UI/Navbar/Search.js
+++ b/src/UI/Navbar/Search.js
@ -30,7 +30,9 @@ $.fn.bindSearch = function() {
        },
        templates  : {
          empty : function(input) {
-            return '<div class="tt-dataset-series"><span class="tt-suggestions" style="display: block;"><div class="tt-suggestion"><p style="white-space: normal;"><a class="no-movies-found" href="/addmovies/search/' + input.query + '">Search for "' + input.query + '"</a></p></div></span></div>';
+            var escapedQuery = _.escape(input.query);
+
+            return "<div class='tt-dataset-series'><span class='tt-suggestions' style='display: block;'><div class='tt-suggestion'><p style='white-space: normal;'><a class='no-movies-found' href='/addmovies/search/'" + escapedQuery + "'>Search for " + escapedQuery + "</a></p></div></span></div>";
          },
        },
        source     : substringMatcher()