From 9f4401f2fb00c84210cd551b97c8ad60e78c71e0 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Wed, 28 Jun 2023 12:06:11 +0100
Subject: [PATCH] avoid CSS vulnerability in Find Anything

---
 lib/App/Netdisco/Web/TypeAhead.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/App/Netdisco/Web/TypeAhead.pm b/lib/App/Netdisco/Web/TypeAhead.pm
index 98817f9d..29d27616 100644
--- a/lib/App/Netdisco/Web/TypeAhead.pm
+++ b/lib/App/Netdisco/Web/TypeAhead.pm
@@ -6,6 +6,7 @@ use Dancer::Plugin::DBIC;
 use Dancer::Plugin::Auth::Extensible;
 
 use App::Netdisco::Util::Web (); # for sort_port
+use HTML::Entities 'encode_entities';
 
 ajax '/ajax/data/devicename/typeahead' => require_login sub {
     return '[]' unless setting('navbar_autocomplete');
@@ -14,7 +15,7 @@ ajax '/ajax/data/devicename/typeahead' => require_login sub {
     my $set = schema(vars->{'tenant'})->resultset('Device')->search_fuzzy($q);
 
     content_type 'application/json';
-    to_json [map {$_->dns || $_->name || $_->ip} $set->all];
+    to_json [map {encode_entities($_->dns || $_->name || $_->ip)} $set->all];
 };
 
 ajax '/ajax/data/deviceip/typeahead' => require_login sub {