From 66fc8143dc4c43aa555b718b507c50f017b90b44 Mon Sep 17 00:00:00 2001
From: Andrew Berg <andrew.berg@washpost.com>
Date: Fri, 6 Dec 2024 14:31:07 -0500
Subject: [PATCH] fix: safely escape strings passed to RegExp in InputSearch

---
 packages/kit/src/input-search/InputSearchListItem.tsx | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/packages/kit/src/input-search/InputSearchListItem.tsx b/packages/kit/src/input-search/InputSearchListItem.tsx
index 841a28139..31f73bff0 100644
--- a/packages/kit/src/input-search/InputSearchListItem.tsx
+++ b/packages/kit/src/input-search/InputSearchListItem.tsx
@@ -85,10 +85,15 @@ export const ListItem = ({ item, state }: ListItemProps) => {
   );
 
   let highlighted;
+
+  const escape = (string) => {
+    return string.replace(/[.*+\-?^${}()|[\]\\]/g, "\\$&");
+  };
+
   if (typeof item.rendered === "string") {
-    highlighted = item.rendered.replace(
-      new RegExp((state as ComboBoxState<object>).inputValue, "gi"),
-      (match) => (match ? `<mark>${match}</mark>` : "")
+    const val = escape((state as ComboBoxState<object>).inputValue);
+    highlighted = item.rendered.replace(new RegExp(val, "gi"), (match) =>
+      match ? `<mark>${match}</mark>` : ""
     );
   }