diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/src/sgml/textsearch.sgml | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/doc/src/sgml/textsearch.sgml b/doc/src/sgml/textsearch.sgml index bde5f391e5c..bf91c23bd11 100644 --- a/doc/src/sgml/textsearch.sgml +++ b/doc/src/sgml/textsearch.sgml @@ -1342,7 +1342,7 @@ ts_headline(<optional> <replaceable class="parameter">config</replaceable> <type document, to distinguish them from other excerpted words. The default values are <quote><literal><b></literal></quote> and <quote><literal></b></literal></quote>, which can be suitable - for HTML output. + for HTML output (but see the warning below). </para> </listitem> <listitem> @@ -1354,6 +1354,21 @@ ts_headline(<optional> <replaceable class="parameter">config</replaceable> <type </listitem> </itemizedlist> + <warning> + <title>Warning: Cross-site scripting (XSS) safety</title> + <para> + The output from <function>ts_headline</function> is not guaranteed to + be safe for direct inclusion in web pages. When + <literal>HighlightAll</literal> is <literal>false</literal> (the + default), some simple XML tags are removed from the document, but this + is not guaranteed to remove all HTML markup. Therefore, this does not + provide an effective defense against attacks such as cross-site + scripting (XSS) attacks, when working with untrusted input. To guard + against such attacks, all HTML markup should be removed from the input + document, or an HTML sanitizer should be used on the output. + </para> + </warning> + These option names are recognized case-insensitively. You must double-quote string values if they contain spaces or commas. </para> @@ -2225,6 +2240,18 @@ LIMIT 10; Specifically, the only non-alphanumeric characters supported for email user names are period, dash, and underscore. </para> + + <para> + <literal>tag</literal> does not support all valid tag names as defined by + <ulink url="https://www.w3.org/TR/xml/">W3C Recommendation, XML</ulink>. + Specifically, the only tag names supported are those starting with an + ASCII letter, underscore, or colon, and containing only letters, digits, + hyphens, underscores, periods, and colons. <literal>tag</literal> also + includes XML comments starting with <literal><!--</literal> and ending + with <literal>--></literal>, and XML declarations (but note that this + includes anything starting with <literal><?x</literal> and ending with + <literal>></literal>). + </para> </note> <para> |