Prevent HTML/XSS Injection in Scala Search (#19980)

This PR fixes the `_layouts/search.html` file to use `innerText` rather than `innerHTML`. This will prevent the ability to inject HTML/XSS into the code of the page.
scala · Mar 19, 2024 · 4554131 · 4554131
1 parent 1eb466c
commit 4554131
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/docs/_layouts/search.html b/docs/_layouts/search.html
@@ -47,11 +47,11 @@ <h2 class="d-none d-md-block">Member Results</h2>
 
     // Set search term and title:
     var searchTerm = decodeURIComponent(parameters["searchTerm"]);
-    document.getElementById("searching-for").innerHTML = 'Search results for "' + searchTerm + '"';
+    document.getElementById("searching-for").innerText = 'Search results for "' + searchTerm + '"';
     document.title = searchTerm + ' - Search results';
 
     if (!window.Worker) {
-        document.getElementById("searching-for").innerHTML =
+        document.getElementById("searching-for").innerText =
             "Couldn't search for \"" + searchTerm + "\", " +
             "web workers not supported. Please update your browser.";
     }