escaping issue in rocket.rs search

[raminfp]

Hi,

Bug

1 - view-source:https://rocket.rs/v0.4/guide/

2 - <input id="search-input" placeholder="Search guide...">

3 -

on_search_results("../js/search-index.json", "search-input", function(docs) {
   hitsDiv.innerHTML = "";
   toggleResultsIfNecessary();
   var query = searchBar.value;
    
   if (docs.length == 0) {
   noResults = `<b>We didn't find any results for <em>${query}</em>.</b>`;
   searchStatus.innerHTML = noResults; ## vulnerability code
  return;
   }

Fix

searchStatus.innerText = noResults;

[jebrosen]

Note that switching to innerText isn't a complete fix because of the HTML tags in noResults.

Assigning @SergioBenitez because I don't have write access.

[SergioBenitez]

This has been fixed!

Note: This isn't a XSS bug because it is not possible to inject the search text remotely.