rustdoc: Comment on JS injection fix

Chad Norvell · Chad Norvell · commit 6fe87b5a4461 · 2024-01-22T21:16:01.000Z
diff --git a/src/librustdoc/html/static/js/storage.js b/src/librustdoc/html/static/js/storage.js
@@ -24,6 +24,10 @@ function getSettingValue(settingName) {
             return def;
         }
     }
+    // Strip out characters we don't expect to find in settings values.
+    // This prevents an injection vulnerability where someone could plant
+    // JS code into the localStorage value, which could be executed when
+    // we pull it out.
     return current.replace(/[^A-Za-z0-9_-]/g,"");
 }
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,10 @@ function getSettingValue(settingName) {`
`24`	`24`	`return def;`
`25`	`25`	`}`
`26`	`26`	`}`
	`27`	`+ // Strip out characters we don't expect to find in settings values.`
	`28`	`+ // This prevents an injection vulnerability where someone could plant`
	`29`	`+ // JS code into the localStorage value, which could be executed when`
	`30`	`+ // we pull it out.`
`27`	`31`	`return current.replace(/[^A-Za-z0-9_-]/g,"");`
`28`	`32`	`}`
`29`	`33`