Merge pull request #70 from mmn/xss_in_search_page

XSS vulnerability in q parameter for search
2015-01-20 14:04:39 +01:00 · 2015-01-20 14:04:39 +01:00 · 45df35fdc0
commit 45df35fdc0
parent 9f613e5a79 54df331ae4
1 changed files with 1 additions and 1 deletions
--- a/js/dom-functions.js
+++ b/js/dom-functions.js
@ -357,7 +357,7 @@ function setNewCurrentStream(stream,actionOnSuccess,setLocation) {
 	// if this is a search stream
 	else if(stream.substring(0,11) == 'search.json')	{
 		var defaultStreamName = stream;
-		var streamHeader = window.sL.searchVerb + ': ' + decodeURIComponent(stream.substring(stream.indexOf('?q=')+3));
+		var streamHeader = window.sL.searchVerb + ': ' + replaceHtmlSpecialChars(decodeURIComponent(stream.substring(stream.indexOf('?q=')+3)));
 		}
 	
 	// set the h2 header in the feed