From 57714c86a61f5905768e2f8e89eae207cda9e0aa Mon Sep 17 00:00:00 2001
From: n1474335 <n1474335@gmail.com>
Date: Fri, 12 Feb 2021 17:55:28 +0000
Subject: [PATCH] Escape HTML input in Fuzzy Match operation

---
 src/core/operations/FuzzyMatch.mjs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/core/operations/FuzzyMatch.mjs b/src/core/operations/FuzzyMatch.mjs
index f7c9b358..c35dd0ab 100644
--- a/src/core/operations/FuzzyMatch.mjs
+++ b/src/core/operations/FuzzyMatch.mjs
@@ -6,6 +6,7 @@
 
 import Operation from "../Operation.mjs";
 import {fuzzyMatch, calcMatchRanges, DEFAULT_WEIGHTS} from "../lib/FuzzyMatch.mjs";
+import Utils from "../Utils.mjs";
 
 /**
  * Fuzzy Match operation
@@ -101,16 +102,16 @@ class FuzzyMatch extends Operation {
             const matchRanges = calcMatchRanges(idxs);
 
             matchRanges.forEach(([start, length], i) => {
-                result += input.slice(pos, start);
+                result += Utils.escapeHtml(input.slice(pos, start));
                 if (i === 0) result += `<span class="${hlClass}">`;
                 pos = start + length;
-                result += `<b>${input.slice(start, pos)}</b>`;
+                result += `<b>${Utils.escapeHtml(input.slice(start, pos))}</b>`;
             });
             result += "</span>";
             hlClass = hlClass === "hl1" ? "hl2" : "hl1";
         });
 
-        result += input.slice(pos, input.length);
+        result += Utils.escapeHtml(input.slice(pos, input.length));
 
         return result;
     }