Permalink
Browse files

Always encodeURI query parameters to prevent xss

  • Loading branch information...
1 parent 4ef7ab3 commit 640a7b41c6300967a8c6b02d26b368508e459f9d @rspier rspier committed Nov 26, 2009
Showing with 2 additions and 2 deletions.
  1. +1 −1 javascript/search.js
  2. +1 −1 static-html/search.html
View
@@ -19,7 +19,7 @@ var perldocSearch = {
run: function(args) {
if (args.q) {
args.q = args.q.replace(/\+/g," ");
- $('results_title').innerHTML = 'Search results for query "' + args.q + '"';
+ $('results_title').innerHTML = 'Search results for query "' + encodeURI(args.q) + '"';
if (args.r && args.r == "no") {
perldocSearch.doFullSearch(args.q);
} else {
View
@@ -40,7 +40,7 @@ <h1 id="results_title">Search results</h1>
<td>
<script>
if (args.q) {
- document.write('<INPUT TYPE=text name=q size=31 maxlength=255 value="' + args.q + '">');
+ document.write('<INPUT TYPE=text name=q size=31 maxlength=255 value="' + encodeURI(args.q) + '">');
} else {
document.write('<INPUT TYPE=text name=q size=31 maxlength=255 value="">');
}

0 comments on commit 640a7b4

Please sign in to comment.