upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-02-17 01:31:07 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/doc
History
Dean Rasheed 18dc43a07f doc: Warn that ts_headline() output is not HTML-safe. 
Add a documentation warning to ts_headline() pointing out that, when
working with untrusted input documents, the output is not guaranteed
to be safe for direct inclusion in web pages. This is because, while
it does remove some XML tags from the input, it doesn't remove all
HTML markup, and so the result may be unsafe (e.g., it might permit
XSS attacks).

To guard against that, all HTML markup should be removed from the
input, making it plain text, or the output should be passed through an
HTML sanitizer.

In addition, document precisely what the default text search parser
recognises as valid XML tags, since that's what determines which XML
tags ts_headline() will remove.

Reported-by: Richard Neill <richard.neill@telos.digital>
Author: Dean Rasheed <dean.a.rasheed@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Backpatch-through: 13
2025-05-01 11:06:21 +01:00
..
src doc: Warn that ts_headline() output is not HTML-safe. 2025-05-01 11:06:21 +01:00
KNOWN_BUGS Remove extra newlines at end and beginning of files, add missing newlines 2010-08-19 05:57:36 +00:00
Makefile Remove distprep 2023-11-06 15:18:04 +01:00
MISSING_FEATURES Remove extra newlines at end and beginning of files, add missing newlines 2010-08-19 05:57:36 +00:00
TODO Change documentation references to PG website to use https: not http: 2017-05-20 21:50:47 -04:00