From c7df3cfdcad578d57ce5a87a8331cf5d129fed82 Mon Sep 17 00:00:00 2001
From: qtw97 <qiutianw@gmail.com>
Date: Wed, 6 Dec 2023 19:58:40 -0500
Subject: [PATCH] fix: fix xss

---
 lms/templates/courseware/courses.html | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/lms/templates/courseware/courses.html b/lms/templates/courseware/courses.html
index 34f417cd0d80..4ec38457874b 100644
--- a/lms/templates/courseware/courses.html
+++ b/lms/templates/courseware/courses.html
@@ -332,24 +332,26 @@ <h2 class="header-search-facets">${_('Refine Your Search')}</h2>
               var message;
       
               if (searchTerm === '') {
-                  // If no search term is entered, use the current discovery message
+                  // Use textContent to safely set the text
                   message = currentMessage;
               } else {
-                  // If a search term is entered, format the message
+                  // Sanitize and escape user input
+                  searchTerm = encodeHTML(searchTerm);
+      
                   var numberOfCourses = currentMessage.includes("any") ? 0 : parseInt(currentMessage.match(/\d+/)[0]);
-                  var courseWord = numberOfCourses === 1 ? "course" : "courses"; // Singular or plural
-                  message = "<b>" + numberOfCourses + "</b> " + courseWord + " find for \"" + searchTerm + "\"";
+                  var courseWord = numberOfCourses === 1 ? "course" : "courses";
+                  message = numberOfCourses + " " + courseWord + " found for \"" + searchTerm + "\"";
               }
       
               var resultsContainer = document.getElementById('search-results-container');
               var existingElement = resultsContainer.querySelector('.search-results-count');
       
               if (existingElement) {
-                  existingElement.innerHTML = message; // Use innerHTML to interpret HTML tags
+                  existingElement.textContent = message; // Use textContent for security
               } else {
                   var newElement = document.createElement('div');
                   newElement.className = 'search-results-count';
-                  newElement.innerHTML = message; // Use innerHTML to interpret HTML tags
+                  newElement.textContent = message; // Use textContent for security
                   resultsContainer.appendChild(newElement);
               }
           }
@@ -365,6 +367,12 @@ <h2 class="header-search-facets">${_('Refine Your Search')}</h2>
               }, 500);
           });
       });
+      
+      // Function to escape HTML in user input
+      function encodeHTML(str){
+          return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;');
+      }
+      
       </script>
 
     </section>