UPdates for xss filtering

ChrisHammond · Sep 26, 2024 · 7f53309 · 7f53309
1 parent 511d795
commit 7f53309
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/_includes/search-lunr.html b/_includes/search-lunr.html
@@ -1,5 +1,4 @@
-<script src="{{site.baseurl}}/assets/js/lunr.js"></script>
-
+<script src="{{site.baseurl}}/js/lunr.js"></script>
 
 <style>
     .lunrsearchresult .title {color: #d9230f;}
@@ -9,13 +8,28 @@
     .lunrsearchresult a:hover .title {text-decoration: underline;}
 </style>
 
-
-<form class="bd-search" onSubmit="return lunr_search(document.getElementById('lunrsearch').value);">
-    <input type="text" class="form-control text-small launch-modal-search" id="lunrsearch" name="q" maxlength="255" value="" placeholder="Type and enter..."/>
+<form role="search" class="bd-search" onsubmit="return sanitizeAndSearch();">
+    <input type="text" class="form-control text-small launch-modal-search" id="lunrsearch" name="q" maxlength="255" value="" placeholder="Search: Type and enter..."/>
 </form>
 
 <div id="lunrsearchresults">
     <ul></ul>
 </div>
 
-<script src="{{site.baseurl}}/assets/js/lunrsearchengine.js"></script>
+<script src="{{site.baseurl}}/js/lunrsearchengine.js"></script>
+
+<script>
+    function sanitizeAndSearch() {
+        const searchBox = document.getElementById('lunrsearch');
+        const originalValue = searchBox.value;
+
+        // Sanitize the search input
+        const sanitizedValue = originalValue.replace(/[<>\/\\{}()$&+%#'"`]/g, '');
+
+        // Set the sanitized value back to the input field (optional)
+        searchBox.value = sanitizedValue;
+
+        // Pass sanitized value to lunr_search function
+        return lunr_search(sanitizedValue);
+    }
+</script>