Escape HTML on display

wlach · wlach · commit 4fc2dfd677b2 · 2025-02-18T07:51:05.000-05:00
diff --git a/sphinx/themes/basic/static/searchtools.js b/sphinx/themes/basic/static/searchtools.js
@@ -99,7 +99,7 @@ const _displayItem = (item, searchTerms, highlightTerms) => {
   let linkEl = listItem.appendChild(document.createElement("a"));
   linkEl.href = linkUrl + anchor;
   linkEl.dataset.score = score;
-  linkEl.innerHTML = title;
+  linkEl.innerHTML = _escapeHTML(title);
   if (descr) {
     listItem.appendChild(document.createElement("span")).innerHTML =
       " (" + descr + ")";
@@ -349,9 +349,7 @@ const Search = {
           const boost = titles[file] === title ? 1 : 0;  // add a boost for document titles
           normalResults.push([
             docNames[file],
-            _escapeHTML(
-              titles[file] !== title ? `${titles[file]} > ${title}` : title
-            ),
+            titles[file] !== title ? `${titles[file]} > ${title}` : title,
             id !== null ? "#" + id : "",
             null,
             score + boost,
@@ -369,7 +367,7 @@ const Search = {
           const score = Math.round(100 * queryLower.length / entry.length);
           const result = [
             docNames[file],
-            _escapeHTML(titles[file]),
+            titles[file],
             id ? "#" + id : "",
             null,
             score,
diff --git a/tests/js/searchtools.spec.js b/tests/js/searchtools.spec.js
@@ -184,7 +184,7 @@ describe('Basic html theme search', function() {
 
       expectedRanking = [
         ['index', 'Main Page', '#index-0'],  /* index entry */
-        ['index', 'Main Page &gt; Result Scoring', '#result-scoring'],  /* title */
+        ['index', 'Main Page > Result Scoring', '#result-scoring'],  /* title */
       ];
 
       searchParameters = Search._parseQuery('scoring');
@@ -198,7 +198,7 @@ describe('Basic html theme search', function() {
 
       expectedRanking = [
         ['relevance', 'Relevance', ''],  /* main title */
-        ['index', 'Main Page &gt; Relevance', '#relevance'],  /* subsection heading title */
+        ['index', 'Main Page > Relevance', '#relevance'],  /* subsection heading title */
       ];
 
       searchParameters = Search._parseQuery('relevance');
