From 29ac0f2616884d9ade489cba63289adfa146ce5e Mon Sep 17 00:00:00 2001
From: Devansh Batham <devanshbatham009@gmail.com>
Date: Fri, 3 Jan 2025 21:54:30 +0530
Subject: [PATCH]  fix: DOM text reinterpreted as HTML leading to self-XSS
 (#633)

* fix: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* fix: format with prettier

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
---
 .../public/imageSearch.js                              | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/image-search-abstraction-layer/public/imageSearch.js b/apps/image-search-abstraction-layer/public/imageSearch.js
index 3a7194d0..abdc8924 100644
--- a/apps/image-search-abstraction-layer/public/imageSearch.js
+++ b/apps/image-search-abstraction-layer/public/imageSearch.js
@@ -37,16 +37,20 @@ function updateURL() {
   var queryTest = /\S/;
 
   if (selected == 'query' && queryTest.test(queryValue)) {
-    url += 'query/' + queryValue + '?page=' + pageValue;
+    url +=
+      'query/' +
+      encodeURIComponent(queryValue) +
+      '?page=' +
+      encodeURIComponent(pageValue);
     if (sizeValue != 'All') {
-      url += '&size=' + sizeValue;
+      url += '&size=' + encodeURIComponent(sizeValue);
     }
   }
   if (selected == 'recent') {
     url += 'recent/';
   }
 
-  urlDiv.innerHTML = url;
+  urlDiv.textContent = url;
   urlDiv.setAttribute('href', url);
 }