From 5f0a426f65953bbf011b051528a6e6fe234ddecb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20T=C3=A9tar?= <adri-from-59@hotmail.fr>
Date: Fri, 2 May 2014 11:32:41 +0200
Subject: [PATCH] rustdoc: escape shown input to prevent injection

---
 src/librustdoc/html/static/main.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/librustdoc/html/static/main.js b/src/librustdoc/html/static/main.js
index 21d57a17c6788..9243f72dab7e9 100644
--- a/src/librustdoc/html/static/main.js
+++ b/src/librustdoc/html/static/main.js
@@ -386,12 +386,16 @@
             });
         }
 
+        function escape(content) {
+            return $('<h1/>').text(content).html();
+        }
+
         function showResults(results) {
             var output, shown, query = getQuery();
 
             currentResults = query.id;
-            output = '<h1>Results for ' + query.query +
-                    (query.type ? ' (type: ' + query.type + ')' : '') + '</h1>';
+            output = '<h1>Results for ' + escape(query.query) +
+                (query.type ? ' (type: ' + escape(query.type) + ')' : '') + '</h1>';
             output += '<table class="search-results">';
 
             if (results.length > 0) {
@@ -650,4 +654,3 @@
 
     window.initSearch = initSearch;
 }());
-