Fix script injection by using _.template escaping

This commit is contained in:
robmadole 2016-11-21 10:35:14 -06:00
parent 3fbc684636
commit 75cdda9bf7

View File

@ -57,7 +57,7 @@ relative_path: ../
{% include icons/medical.html %}
</div>
<script type="text/template" id="results-template">
<h2 class="page-header">Search for '<span class="text-color-default"><%= content.query %></span>'</h2>
<h2 class="page-header">Search for '<span class="text-color-default"><%- content.query %></span>'</h2>
<% if (content.nbHits > 0) { %>
<div class="row fontawesome-icon-list">
<%= results %>