rustdoc: Prevent JS injection from localStorage

rust-lang-ci · Jan 29, 2024 · 32a0afe · 32a0afe
1 parent 021861a
commit 32a0afe
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/librustdoc/html/static/js/storage.js b/src/librustdoc/html/static/js/storage.js
@@ -101,6 101,14 @@ const getVar = (function getVar(name) {
 });
 
 function switchTheme(newThemeName, saveTheme) {
  const themeNames = getVar("themes").split(",").filter(t => t);
  themeNames.push(...builtinThemes);
 
  // Ensure that the new theme name is among the defined themes
  if (themeNames.indexOf(newThemeName) === -1) {
  return;
  }
 
  // If this new value comes from a system setting or from the previously
  // saved theme, no need to save it.
  if (saveTheme) {
@@ -115,7 123,7 @@ function switchTheme(newThemeName, saveTheme) {
  window.currentTheme = null;
  }
  } else {
- const newHref = getVar("root-path")   newThemeName  
  const newHref = getVar("root-path")   encodeURIComponent(newThemeName)  
  getVar("resource-suffix")   ".css";
  if (!window.currentTheme) {
  // If we're in the middle of loading, document.write blocks