Fixes client DOM XSS issue (#3974)

SAP · Oct 10, 2024 · aad422e · aad422e
1 parent 5584969
commit aad422e
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/website/docs/src/app.html b/website/docs/src/app.html
@@ -15,14 +15,18 @@
     <div style="display: contents">%sveltekit.body%</div>
 
     <script type="text/javascript">
+      const sanitizeString = function(input) {
+        return input ? input.replace(/[^a-z0-9-/]/gim, '').toLowerCase() : '';
+      };
+      const locationPath = sanitizeString(location.pathname);
+      const pathNameIndex = locationPath.lastIndexOf('/') + 1;
+
       // Import LuigiClient into each microfrontend
       let script = document.createElement('script');
       script.type = 'text/javascript';
       script.src = '/luigi-client/luigi-client.js';
       document.getElementsByTagName('body')[0].appendChild(script);
-      document.body.classList.add(
-        'page-' + location.pathname.substring(location.pathname.lastIndexOf('/') + 1)
-      );
+      document.body.classList.add('page-' + locationPath.substring(pathNameIndex));
 
       // Modify WC API docu labels manually for added clarity through title attribute
       document.addEventListener('DOMContentLoaded', function() {