From 54df331ae4e14ed1c2c01832151346743efd508d Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Tue, 20 Jan 2015 13:47:58 +0100
Subject: [PATCH] XSS vulnerability in q parameter for search

---
 js/dom-functions.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/dom-functions.js b/js/dom-functions.js
index e601796..22825fb 100644
--- a/js/dom-functions.js
+++ b/js/dom-functions.js
@@ -357,7 +357,7 @@ function setNewCurrentStream(stream,actionOnSuccess,setLocation) {
 	// if this is a search stream
 	else if(stream.substring(0,11) == 'search.json')	{
 		var defaultStreamName = stream;
-		var streamHeader = window.sL.searchVerb + ': ' + decodeURIComponent(stream.substring(stream.indexOf('?q=')+3));
+		var streamHeader = window.sL.searchVerb + ': ' + replaceHtmlSpecialChars(decodeURIComponent(stream.substring(stream.indexOf('?q=')+3)));
 		}
 	
 	// set the h2 header in the feed