Skip to content

fix: remove |safe from striptags output in search templates#3060

Open
fazalpsinfo-cmyk wants to merge 1 commit into
python:mainfrom
fazalpsinfo-cmyk:fix/search-safe-striptags
Open

fix: remove |safe from striptags output in search templates#3060
fazalpsinfo-cmyk wants to merge 1 commit into
python:mainfrom
fazalpsinfo-cmyk:fix/search-safe-striptags

Conversation

@fazalpsinfo-cmyk

Copy link
Copy Markdown

Issue

The striptags filter output uses |safe in search result templates, allowing HTML content inside matched search snippets to be rendered unescaped. This is a potential XSS vector since user content in indexed pages may contain HTML.

Fix

Removed the |safe filter from striptags output in search template, ensuring HTML is properly escaped.

Fixes #3046


Support my open source work: https://buymeacoffee.com/muhamedfazalps

Four search include templates used |safe on striptags output, which
Django's docs explicitly warn against. The indexed value is now
genuinely plain text at index time via html.unescape(), so autoescaping
can safely render it.

Closes python#3046
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Search result templates apply |safe to striptags output

1 participant