Search results content HTML is not escaped (#22782)

Part of #1207
2025-12-30 12:02:01 -05:00 · 2021-11-13 13:05:06 -05:00
parent 2b98629148
commit 4b59dfd863
1 changed files with 11 additions and 1 deletions
--- a/lib/search/lunr-search.js
+++ b/lib/search/lunr-search.js
@@ -248,7 +248,7 @@ function field(matchData, record, name) {
  if (!positions.length) return text

  // Highlight the text
-  return positions
+  const highlighted = positions
    .map(([prev, start, end], i) => [
      text.slice(prev, start),
      mark(text.slice(start, end)),
@@ -257,6 +257,16 @@ function field(matchData, record, name) {
    .flat()
    .filter(Boolean)
    .join('')
+
+  // We can't HTML escape the content until AFTER all the matchData positions
+  // have been processed otherwise, the positions should shift.
+  // The only HTML that is OK to keep is <mark> and </mark>.
+  return highlighted
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/&lt;mark&gt;/g, '<mark>')
+    .replace(/&lt;\/mark&gt;/g, '</mark>')
 }

 function mark(text) {