From d5c73ff84abf39cab00fc86f77670eb29f315094 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lvaro=20Mond=C3=A9jar=20Rubio?=
 <mondejar1994@gmail.com>
Date: Sat, 5 Mar 2022 10:18:55 +0100
Subject: [PATCH 1/3] Prevent XSS searching in builtin themes

---
 mkdocs/contrib/search/templates/search/main.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mkdocs/contrib/search/templates/search/main.js b/mkdocs/contrib/search/templates/search/main.js
index c5ccfa61a8..e7f613f231 100644
--- a/mkdocs/contrib/search/templates/search/main.js
+++ b/mkdocs/contrib/search/templates/search/main.js
@@ -21,8 +21,15 @@ function joinUrl (base, path) {
   return base + "/" + path;
 }
 
+function htmlEncode (value) {
+  return value.replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
+
 function formatResult (location, title, summary) {
-  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ title + '</a></h3><p>' + summary +'</p></article>';
+  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ title + '</a></h3><p>' + htmlEncode(summary) +'</p></article>';
 }
 
 function displayResults (results) {

From 520e2a2dd31d28ce610f17d9903a70da94e0d90c Mon Sep 17 00:00:00 2001
From: Oleh Prypin <oleh@pryp.in>
Date: Fri, 25 Mar 2022 12:49:46 +0100
Subject: [PATCH 2/3] Also need to escape title

---
 mkdocs/contrib/search/templates/search/main.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mkdocs/contrib/search/templates/search/main.js b/mkdocs/contrib/search/templates/search/main.js
index e7f613f231..4a042472df 100644
--- a/mkdocs/contrib/search/templates/search/main.js
+++ b/mkdocs/contrib/search/templates/search/main.js
@@ -29,7 +29,7 @@ function htmlEncode (value) {
 }
 
 function formatResult (location, title, summary) {
-  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ title + '</a></h3><p>' + htmlEncode(summary) +'</p></article>';
+  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ htmlEncode(title) + '</a></h3><p>' + htmlEncode(summary) +'</p></article>';
 }
 
 function displayResults (results) {

From b0347035fa8ffbe25e16537e3f8c59f850953a31 Mon Sep 17 00:00:00 2001
From: Oleh Prypin <oleh@pryp.in>
Date: Fri, 25 Mar 2022 12:50:02 +0100
Subject: [PATCH 3/3] Rename method

---
 mkdocs/contrib/search/templates/search/main.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mkdocs/contrib/search/templates/search/main.js b/mkdocs/contrib/search/templates/search/main.js
index 4a042472df..a5e469d7c8 100644
--- a/mkdocs/contrib/search/templates/search/main.js
+++ b/mkdocs/contrib/search/templates/search/main.js
@@ -21,7 +21,7 @@ function joinUrl (base, path) {
   return base + "/" + path;
 }
 
-function htmlEncode (value) {
+function escapeHtml (value) {
   return value.replace(/&/g, '&amp;')
     .replace(/"/g, '&quot;')
     .replace(/</g, '&lt;')
@@ -29,7 +29,7 @@ function htmlEncode (value) {
 }
 
 function formatResult (location, title, summary) {
-  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ htmlEncode(title) + '</a></h3><p>' + htmlEncode(summary) +'</p></article>';
+  return '<article><h3><a href="' + joinUrl(base_url, location) + '">'+ escapeHtml(title) + '</a></h3><p>' + escapeHtml(summary) +'</p></article>';
 }
 
 function displayResults (results) {