rustdoc: Exclude code characters from localStorage value

Chad Norvell · Chad Norvell · commit 1f56852f2fce · 2024-01-22T21:41:35.000Z
diff --git a/src/librustdoc/html/static/js/storage.js b/src/librustdoc/html/static/js/storage.js
@@ -28,7 +28,7 @@ function getSettingValue(settingName) {
     // This prevents an injection vulnerability where someone could plant
     // JS code into the localStorage value, which could be executed when
     // we pull it out.
-    return current.replace(/[^A-Za-z0-9_-]/g,"");
+    return current.replace(/[\s\(\)\[\]\{\}\*\"\'\`<>.:;=&|]/g,"");
 }
 
 const localStoredTheme = getSettingValue("theme");

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ function getSettingValue(settingName) {`
`28`	`28`	`// This prevents an injection vulnerability where someone could plant`
`29`	`29`	`// JS code into the localStorage value, which could be executed when`
`30`	`30`	`// we pull it out.`
`31`		`- return current.replace(/[^A-Za-z0-9_-]/g,"");`
	`31`	+ return current.replace(/[\s\(\)\[\]\{\}\*\"\'\`<>.:;=&\|]/g,"");
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`const localStoredTheme = getSettingValue("theme");`