diff --git a/docs.html b/docs.html
index 25639930e..a725a7268 100644
--- a/docs.html
+++ b/docs.html
@@ -307,6 +307,17 @@ On this page
return text.toLowerCase().replace(/[^\w]+/g, '-').replace(/^-|-$/g, '');
}
+ // Basic HTML escaping to prevent XSS when inserting untrusted values
+ function escapeHtml(str) {
+ return String(str)
+ .replace(/&/g, '&')
+ .replace(//g, '>')
+ .replace(/"/g, '"')
+ .replace(/'/g, ''')
+ .replace(/\//g, '/');
+ }
+
// Simple markdown to HTML parser with anchor generation
function parseMarkdown(md) {
let html = md;
@@ -389,10 +400,11 @@ On this page
// Fetch and display documentation
async function loadDoc(filename) {
+ const safeFilename = escapeHtml(filename);
docsContent.innerHTML = `
-
Loading ${filename}...
+
Loading ${safeFilename}...
`;
@@ -417,9 +429,9 @@ On this page
console.error('Error loading doc:', error);
docsContent.innerHTML = `
Error Loading Documentation
- Failed to load ${filename}. Please try again later.
+ Failed to load ${safeFilename}. Please try again later.
-
+
View on GitHub