Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upKeep code coloring in search results short text #68699
Conversation
This comment has been minimized.
This comment has been minimized.
|
The job Click to expand the log.
I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
This comment has been minimized.
This comment has been minimized.
|
The job Click to expand the log.
I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
| // In case someone wants to close the current tag to inject some other unwanted things. | ||
| // For example: "</span><iframe whatever>" | ||
| function safeHtml(x) { | ||
| var e = document.createElement('h1'); | ||
| e.innerHTML = x; | ||
| return e.innerHTML; | ||
| } | ||
|
|
This comment has been minimized.
This comment has been minimized.
NieDzejkob
Jan 31, 2020
Contributor
What prevents someone from injecting nasty tags without closing the span?
This comment has been minimized.
This comment has been minimized.
GuillaumeGomez
Feb 1, 2020
Author
Member
They can indeed, but it'll be in the documentation as well in any case. It's mostly to prevent breaking the whole HTML rather than "inject" things. My comment might be a bit misleading...
|
There's a test case to fix, and a few ideas/points in comments. |
9e7808f
to
c95068f
This comment has been minimized.
This comment has been minimized.
|
Updated! |
This comment has been minimized.
This comment has been minimized.
|
@bors r+ |
This comment has been minimized.
This comment has been minimized.
|
|
This comment has been minimized.
This comment has been minimized.
|
@bors r- The Additionally if the summaries for the search index are be rendered to HTML then the text will need to be HTML escaped. HTML rendering should use |
This comment has been minimized.
This comment has been minimized.
|
@ollie27 Great catch! We really need the front-end checks to come back... cc @pietroalbini :) |

GuillaumeGomez commentedJan 31, 2020
Fixes #32040.
r? @kinnison