Description
The link generation code is buggy, as the section title is escaped & placed inside of single quotes,
but the escapeHtmlEntities only escapes double quotes, not single quotes.
str+='<a href="#" pl-c1">+escapeHtmlEntities(l[1])+'\');return false;">'+escapeHtmlEntities(l[0])+'</a><br>';Thus, one possibility is someone e.g. including an apostrophe in a section title,
and then being confused when the link to that section doesn't work.
Perhaps unlikely, but annoying.
Another possibility is exploiting this bugginess to inject arbitrary JavaScript as I have demonstrated with this very silly proof of concept.
Very unlikely (and not a real security concern AFAICT), but very amusing. :P
The fix should be as simple as adding a .replace(/'/g, ''') to escapeHtmlEntities,
or swapping the quotes around in goTo a little:
// this would also work I think (tho i didn't actually test it...)
str+='<a href="#" 'goTo("'+escapeHtmlEntities(l[1])+'");return false;\'>'+escapeHtmlEntities(l[0])+'</a><br>';That is, of course, if you fix this at all — maybe It's A Feature Not A Bug ^^