diff --git a/build.sh b/build.sh
index 09fb26317..e759bdcc2 100755
--- a/build.sh
+++ b/build.sh
@@ -1,6 +1,16 @@
#!/bin/bash -e
# This script publishes the GraphQL specification document to the web.
+# Escape HTML special characters to prevent HTML injection
+html_escape() {
+ local str="$1"
+ str="${str//&/&}"
+ str="${str///>}"
+ str="${str//\"/"}"
+ echo "$str"
+}
+
# Determine if this is a tagged release
GITTAG=$(git tag --points-at HEAD)
@@ -58,11 +68,12 @@ HTML="
# Include latest draft
GITDATE=$(git show -s --format=%cd --date=format:"%a, %b %-d, %Y" HEAD)
+GITDATE_ESC=$(html_escape "$GITDATE")
HTML="$HTML
| Prerelease |
Working Draft |
- $GITDATE |
+ $GITDATE_ESC |
|
"
@@ -73,6 +84,10 @@ for GITTAG in $(git tag -l --sort='-*committerdate') ; do
TAGGEDCOMMIT=$(git rev-list -1 "$GITTAG")
GITDATE=$(git show -s --format=%cd --date=format:"%a, %b %-d, %Y" $TAGGEDCOMMIT)
+ GITTAG_ESC=$(html_escape "$GITTAG")
+ TAGTITLE_ESC=$(html_escape "$TAGTITLE")
+ GITDATE_ESC=$(html_escape "$GITDATE")
+
HTML="$HTML
"
@@ -82,9 +97,9 @@ for GITTAG in $(git tag -l --sort='-*committerdate') ; do
HAS_LATEST_RELEASE=1
HTML="$HTML
- | $TAGTITLE |
- $GITDATE |
- Release Notes |
+ $TAGTITLE_ESC |
+ $GITDATE_ESC |
+ Release Notes |
"
done
@@ -102,4 +117,4 @@ HTML="$HTML