From 017c521eadc2ca3c8c1cf4d87a797fafde62f127 Mon Sep 17 00:00:00 2001
From: Dhghomon <Dhghomon@users.noreply.github.com>
Date: Tue, 5 Jan 2021 02:55:59 +0000
Subject: [PATCH] deploy: 773f02d4af72ef1862ccf9b2a9107d68b4bf2266

---
 searcher.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/searcher.js b/searcher.js
index e1cc806..acf3d50 100644
--- a/searcher.js
+++ b/searcher.js
@@ -145,6 +145,11 @@ window.search = window.search || {};
             url.push("");
         }
 
+        // encodeURIComponent escapes all chars that could allow an XSS except
+        // for '. Due to that we also manually replace ' with its url-encoded
+        // representation (%27).
+        var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
+
         return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1]
             + '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs + '</a>'
             + '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">'