diff --git a/ghost/admin/app/helpers/highlighted-text.js b/ghost/admin/app/helpers/highlighted-text.js
index cb6d3c40aa..f2512cc57f 100644
--- a/ghost/admin/app/helpers/highlighted-text.js
+++ b/ghost/admin/app/helpers/highlighted-text.js
@@ -1,11 +1,28 @@
+import Ember from 'ember';
import {helper} from '@ember/component/helper';
import {htmlSafe} from '@ember/template';
+const {Handlebars} = Ember;
+
export function highlightedText([text, termToHighlight]) {
// replace any non-word character with an escaped character
let sanitisedTerm = termToHighlight.replace(new RegExp(/\W/ig), '\\$&');
+ let termMatcher = new RegExp(sanitisedTerm, 'ig');
- return htmlSafe(text.replace(new RegExp(sanitisedTerm, 'ig'), '$&'));
+ let matches = text.match(termMatcher) || [];
+ let nonMatches = text.split(termMatcher);
+
+ let htmlSafeResult = '';
+
+ nonMatches.forEach((nonMatch, index) => {
+ htmlSafeResult += Handlebars.Utils.escapeExpression(nonMatch);
+
+ if (matches[index]) {
+ htmlSafeResult += `${Handlebars.Utils.escapeExpression(matches[index])}`;
+ }
+ });
+
+ return htmlSafe(htmlSafeResult);
}
export default helper(highlightedText);
diff --git a/ghost/admin/tests/unit/helpers/highlighted-text-test.js b/ghost/admin/tests/unit/helpers/highlighted-text-test.js
index 3ec4b69088..6130219fe2 100644
--- a/ghost/admin/tests/unit/helpers/highlighted-text-test.js
+++ b/ghost/admin/tests/unit/helpers/highlighted-text-test.js
@@ -13,4 +13,10 @@ describe('Unit: Helper: highlighted-text', function () {
expect(result).to.be.an('object');
expect(result.string).to.equal('Test');
});
+
+ it('escapes html', function () {
+ let result = highlightedText(['', 'oops']);
+ expect(result).to.be.an('object');
+ expect(result.string).to.equal('<script>alert("oops")</script>');
+ });
});