From 5d7a7e502badda4fdd80e2f679997cdd35557549 Mon Sep 17 00:00:00 2001
From: Wes Turner <wes@wrd.nu>
Date: Mon, 27 Feb 2017 12:07:30 -0600
Subject: [PATCH] SEC,PRF: templates/main.html: build w/ DOM noes

https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#####
---
 templates/main.html | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/templates/main.html b/templates/main.html
index 815ab034..0a648aa8 100644
--- a/templates/main.html
+++ b/templates/main.html
@@ -85,7 +85,10 @@
 	var res = '';
 	for(var i=0,n=authors.length;i<n;i++) {
 		var link = '/search?q=' + authors[i].replace(/ /g, "+");
-		res += '<a href="' + link + '">' + authors[i] + '</a>';
+        var node = document.createElement('a');
+        node.setAttribute('href', link);
+        node.textContent = authors[i];
+        res += node.outerHTML;
 		if(i<n-1) res += ', ';
 	}
 	return res;
@@ -95,7 +98,10 @@
     var res = '';
     for(var i=0,n=tags.length;i<n;i++) {
         var link = '/search?q=' + tags[i].replace(/ /g, "+");
-        res += '<a href="' + link + '">' + tags[i] + '</a>';
+        var node = document.createElement('a');
+        node.setAttribute('href', link);
+        node.textContent = tags[i];
+        res += node.outerHTML;
 		if(i<n-1) res += ' | ';
     }
     return res;