From 32a0afe30c26044a62d098910464989258f0bc2e Mon Sep 17 00:00:00 2001 From: Chad Norvell Date: Mon, 22 Jan 2024 20:42:27 +0000 Subject: [PATCH] rustdoc: Prevent JS injection from localStorage --- src/librustdoc/html/static/js/storage.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/librustdoc/html/static/js/storage.js b/src/librustdoc/html/static/js/storage.js index ac9c6f377b82a..bda7b3c647e7e 100644 --- a/src/librustdoc/html/static/js/storage.js +++ b/src/librustdoc/html/static/js/storage.js @@ -101,6 +101,14 @@ const getVar = (function getVar(name) { }); function switchTheme(newThemeName, saveTheme) { + const themeNames = getVar("themes").split(",").filter(t => t); + themeNames.push(...builtinThemes); + + // Ensure that the new theme name is among the defined themes + if (themeNames.indexOf(newThemeName) === -1) { + return; + } + // If this new value comes from a system setting or from the previously // saved theme, no need to save it. if (saveTheme) { @@ -115,7 +123,7 @@ function switchTheme(newThemeName, saveTheme) { window.currentTheme = null; } } else { - const newHref = getVar("root-path") + newThemeName + + const newHref = getVar("root-path") + encodeURIComponent(newThemeName) + getVar("resource-suffix") + ".css"; if (!window.currentTheme) { // If we're in the middle of loading, document.write blocks