From a1911dc455994d5ae2953924163093e5fc51dfeb Mon Sep 17 00:00:00 2001 From: RedHeadSec <42355245+RedHeadSec@users.noreply.github.com> Date: Tue, 25 Nov 2025 19:07:09 -0600 Subject: [PATCH] Escape HTML entities in highlighted matches Updated the _highlight_match method to escape HTML entities in the highlighted text. --- ldap_shell/completers/ad_object_completer.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ldap_shell/completers/ad_object_completer.py b/ldap_shell/completers/ad_object_completer.py index 1df96d2..8471938 100644 --- a/ldap_shell/completers/ad_object_completer.py +++ b/ldap_shell/completers/ad_object_completer.py @@ -6,6 +6,7 @@ from abc import abstractmethod from ldap3 import SUBTREE import threading +import html from ldap_shell.utils import history from ldap_shell.completers.base import ADObjectCacheManager @@ -51,17 +52,17 @@ def get_completions(self, document: Document, complete_event, current_word=None) ) def _highlight_match(self, text: str, substr: str) -> str: - """Highlights the matching part of the text""" + """Highlights the matching part of the text - escapes HTML entities""" if not substr: - return text - + return html.escape(text) + index = text.lower().find(substr.lower()) if index >= 0: - before = text[:index] - match = text[index:index + len(substr)] - after = text[index + len(substr):] + before = html.escape(text[:index]) + match = html.escape(text[index:index + len(substr)]) + after = html.escape(text[index + len(substr):]) return f"{before}{after}" - return text + return html.escape(text) def _get_ad_objects(self): objects = set() @@ -129,4 +130,4 @@ class OUCompleter(ADObjectCompleter): attributes = ['name', 'distinguishedName'] # Override attributes for OUs def get_ldap_filter(self): - return "(objectClass=organizationalUnit)" \ No newline at end of file + return "(objectClass=organizationalUnit)"