fix: escape HTML in search keywords

sy-records · sy-records · commit 4f0f6f372b73 · 2025-07-31T12:38:33.000+08:00
diff --git a/src/core/event/index.js b/src/core/event/index.js
@@ -478,7 +478,7 @@ export function Events(Base) {
       const newActive = dom
         .find(
           sidebar,
-          `a[href="${href}"], a[href="${decodeURIComponent(href)}"]`,
+          `a[href="${CSS.escape(href)}"], a[href="${CSS.escape(decodeURIComponent(href))}"]`,
         )
         ?.closest('li');
 
diff --git a/src/plugins/search/component.js b/src/plugins/search/component.js
@@ -1,4 +1,4 @@
-import { search } from './search.js';
+import { escapeHtml, search } from './search.js';
 import cssText from './style.css';
 
 let NO_DATA_TEXT = '';
@@ -75,11 +75,11 @@ function bindEvents() {
   let timeId;
 
   /**
-    Prevent to Fold sidebar.
-
-    When searching on the mobile end,
-    the sidebar is collapsed when you click the INPUT box,
-    making it impossible to search.
+   * Prevent to Fold sidebar.
+   *
+   * When searching on the mobile end,
+   * the sidebar is collapsed when you click the INPUT box,
+   * making it impossible to search.
    */
   Docsify.dom.on(
     $search,
@@ -129,10 +129,10 @@ export function init(opts, vm) {
     return;
   }
 
-  const keywords = vm.router.parse().query.s;
+  const keywords = vm.router.parse().query.s || '';
 
   Docsify.dom.style(cssText);
-  tpl(vm, keywords);
+  tpl(vm, escapeHtml(keywords));
   bindEvents();
   keywords && setTimeout(_ => doSearch(keywords), 500);
 }
diff --git a/src/plugins/search/search.js b/src/plugins/search/search.js
@@ -5,7 +5,7 @@ import {
 import { markdownToTxt } from './markdown-to-txt.js';
 import Dexie from 'dexie';
 
-let INDEXES = {};
+let INDEXES = [];
 
 const db = new Dexie('docsify');
 db.version(1).stores({
@@ -48,7 +48,7 @@ function resolveIndexKey(namespace) {
     : LOCAL_STORAGE.INDEX_KEY;
 }
 
-function escapeHtml(string) {
+export function escapeHtml(string) {
   const entityMap = {
     '&': '&amp;',
     '<': '&lt;',
@@ -102,7 +102,7 @@ function getListData(token) {
 export function genIndex(path, content = '', router, depth, indexKey) {
   const tokens = window.marked.lexer(content);
   const slugify = window.Docsify.slugify;
-  const index = {};
+  const index = [];
   let slug;
   let title = '';
 
@@ -299,7 +299,7 @@ export async function init(config, vm) {
   INDEXES = await getData(indexKey);
 
   if (isExpired) {
-    INDEXES = {};
+    INDEXES = [];
   } else if (!isAuto) {
     return;
   }

Original file line number	Diff line number	Diff line change
`@@ -478,7 +478,7 @@ export function Events(Base) {`
`478`	`478`	`const newActive = dom`
`479`	`479`	`.find(`
`480`	`480`	`sidebar,`
`481`		- `a[href="${href}"], a[href="${decodeURIComponent(href)}"]`,
	`481`	+ `a[href="${CSS.escape(href)}"], a[href="${CSS.escape(decodeURIComponent(href))}"]`,
`482`	`482`	`)`
`483`	`483`	`?.closest('li');`
`484`	`484`