From 3534daddeefefbd42ea0a3819348327e5d85315c Mon Sep 17 00:00:00 2001
From: Scott Main <smain@google.com>
Date: Wed, 28 Oct 2009 09:50:06 -0700
Subject: [PATCH] docs: fix XSS vulnerability in search

add a function that uses replace() to replace all
instances of '<' and '>' with the HTML entities and use
this wherever the query text is added onto the page.
---
 docs/html/search.jd | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/docs/html/search.jd b/docs/html/search.jd
index 8032b22191675..d0e7478b51eb7 100644
--- a/docs/html/search.jd
+++ b/docs/html/search.jd
@@ -70,8 +70,8 @@ page.title=Search Results
         searchControl.setSearchStartingCallback(this, function(control, searcher, query) {
             // save the tab index from the hash
             tabIndex = location.hash.split("&t=")[1];
-        
-            $("#searchTitle").html("search results for <em>" + query + "</em>");
+
+            $("#searchTitle").html("search results for <em>" + escapeHTML(query) + "</em>");
             $.history.add('q=' + query + '&t=' + tabIndex);
             openTab();
         });
@@ -96,7 +96,8 @@ page.title=Search Results
       $(window).history(function(e, hash) {
         var query = decodeURI(getQuery(hash));
         searchControl.execute(query);
-        $("#searchTitle").html("search results for <em>" + query + "</em>");
+
+        $("#searchTitle").html("search results for <em>" + escapeHTML(query) + "</em>");
       });
 
       // forcefully regain key-up event control (previously jacked by search api)
@@ -131,6 +132,13 @@ page.title=Search Results
         return queryParts[1];
       }
 
+      /* returns the given string with all HTML brackets converted to entities
+         TODO: move this to the site's JS library */
+      function escapeHTML(string) {
+        return string.replace(/</g,"&lt;")
+                     .replace(/>/g,"&gt;");
+      }
+
 </script>
 
   <div id="mainBodyFixed" style="width:auto; margin:20px">