From 9528ef529b0cf5a45fc7b25b7aed43f54544c28d Mon Sep 17 00:00:00 2001
From: Liam Bigelow <40188355+bglw@users.noreply.github.com>
Date: Tue, 3 Sep 2024 13:17:26 +1200
Subject: [PATCH] Add safety checks around accesses for
 `document.currentScript.src`

---
 pagefind_ui/default/svelte/ui.svelte | 16 +++++++++++++---
 pagefind_ui/default/ui-core.js       |  9 ++++++---
 pagefind_ui/modular/modular-core.js  | 27 ++++++++++++++++++++-------
 3 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/pagefind_ui/default/svelte/ui.svelte b/pagefind_ui/default/svelte/ui.svelte
index 4be04d55..a40b5867 100644
--- a/pagefind_ui/default/svelte/ui.svelte
+++ b/pagefind_ui/default/svelte/ui.svelte
@@ -99,11 +99,21 @@
           [
             `Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
             `You can configure this by passing a bundlePath option to PagefindUI`,
-            `[DEBUG: Loaded from ${
-              document?.currentScript?.src ?? "no known script location"
-            }]`,
           ].join("\n")
         );
+        // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+        if (
+          document?.currentScript &&
+          document.currentScript.tagName.toUpperCase() === "SCRIPT"
+        ) {
+          console.error(
+            `[DEBUG: Loaded from ${
+              document.currentScript.src ?? "bad script location"
+            }]`
+          );
+        } else {
+          console.error("no known script location");
+        }
       }
 
       if (!excerpt_length) {
diff --git a/pagefind_ui/default/ui-core.js b/pagefind_ui/default/ui-core.js
index 02e2a9f1..f0762c31 100644
--- a/pagefind_ui/default/ui-core.js
+++ b/pagefind_ui/default/ui-core.js
@@ -2,9 +2,12 @@ import PagefindSvelte from "./svelte/ui.svelte";
 
 let scriptBundlePath;
 try {
-  scriptBundlePath = new URL(document.currentScript.src).pathname.match(
-    /^(.*\/)(?:pagefind-)?ui.js.*$/
-  )[1];
+  // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+  if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
+    scriptBundlePath = new URL(document.currentScript.src).pathname.match(
+      /^(.*\/)(?:pagefind-)?ui.js.*$/
+    )[1];
+  }
 } catch (e) {
   scriptBundlePath = "/pagefind/";
 }
diff --git a/pagefind_ui/modular/modular-core.js b/pagefind_ui/modular/modular-core.js
index 1a07cd78..4f25672e 100644
--- a/pagefind_ui/modular/modular-core.js
+++ b/pagefind_ui/modular/modular-core.js
@@ -8,9 +8,12 @@ const sleep = async (ms = 50) =>
 
 let scriptBundlePath;
 try {
-  scriptBundlePath = new URL(document.currentScript.src).pathname.match(
-    /^(.*\/)(?:pagefind-)?modular-ui.js.*$/
-  )[1];
+  // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+  if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
+    scriptBundlePath = new URL(document.currentScript.src).pathname.match(
+      /^(.*\/)(?:pagefind-)?modular-ui.js.*$/
+    )[1];
+  }
 } catch (e) {
   scriptBundlePath = "/pagefind/";
 }
@@ -166,12 +169,22 @@ export class Instance {
         console.error(
           [
             `Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
-            `You can configure this by passing a bundlePath option to PagefindComposable Instance`,
-            `[DEBUG: Loaded from ${
-              document?.currentScript?.src ?? "no known script location"
-            }]`,
+            `You can configure this by passing a bundlePath option to PagefindComposable Instance`
           ].join("\n")
         );
+        // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+        if (
+          document?.currentScript &&
+          document.currentScript.tagName.toUpperCase() === "SCRIPT"
+        ) {
+          console.error(
+            `[DEBUG: Loaded from ${
+              document.currentScript?.src ?? "bad script location"
+            }]`
+          );
+        } else {
+          console.error("no known script location");
+        }
       }
 
       await imported_pagefind.options(this.pagefindOptions || {});