From 58340120a30379f71ecc6b4bdb3f223714333096 Mon Sep 17 00:00:00 2001
From: shekhar agrawal <csa.jpr08@gmail.com>
Date: Sat, 23 Sep 2023 18:37:42 +0530
Subject: [PATCH] fixes issue #420

---
 js/everything.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/js/everything.js b/js/everything.js
index d0d5568..0ec3ed0 100644
--- a/js/everything.js
+++ b/js/everything.js
@@ -441,7 +441,13 @@ function anchorURLs(text) {
     *    (2) it encounters a period (.) or whitespace, if the TLD was followed by a forwardslash (/) */
     var re = /((?:http|https)\:\/\/[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(?:\/\S*[^\.\s])?)/g; // eslint-disable-line no-useless-escape
     /* Wraps all found URLs in <a> tags */
-    return text.replace(re, "<a href=\"$1\" target=\"_blank\">$1</a>");
+    // Use a function to replace matches
+    return text.replace(re, function(match) {
+        // Escape the match to prevent XSS
+        var url = encodeURIComponent(match);
+        // Wrap the URL in an anchor tag
+        return "<a href=\"" + url + "\" target=\"_blank\">" + match + "</a>";
+    });
 }
 
 function anchorTimestamps(text, videoID) {