From 4b59dfd863516e425c175c6f8dd3e9e3a562ac63 Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Sat, 13 Nov 2021 13:05:06 -0500
Subject: [PATCH] Search results content HTML is not escaped (#22782)

Part of #1207
---
 lib/search/lunr-search.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/search/lunr-search.js b/lib/search/lunr-search.js
index f533e91860..75f02a863f 100644
--- a/lib/search/lunr-search.js
+++ b/lib/search/lunr-search.js
@@ -248,7 +248,7 @@ function field(matchData, record, name) {
   if (!positions.length) return text
 
   // Highlight the text
-  return positions
+  const highlighted = positions
     .map(([prev, start, end], i) => [
       text.slice(prev, start),
       mark(text.slice(start, end)),
@@ -257,6 +257,16 @@ function field(matchData, record, name) {
     .flat()
     .filter(Boolean)
     .join('')
+
+  // We can't HTML escape the content until AFTER all the matchData positions
+  // have been processed otherwise, the positions should shift.
+  // The only HTML that is OK to keep is <mark> and </mark>.
+  return highlighted
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/&lt;mark&gt;/g, '<mark>')
+    .replace(/&lt;\/mark&gt;/g, '</mark>')
 }
 
 function mark(text) {