[Xapian-devel] opensearch template

Olly Betts olly at survex.com
Tue Jan 3 17:41:25 GMT 2006

On Tue, Jan 03, 2006 at 05:15:07PM +0000, James Aylett wrote:
> On Tue, Jan 03, 2006 at 05:00:26PM +0000, Olly Betts wrote:
> > But reading the spec, it does say that any HTML in the description tag
> > should be escaped once, or enclosed as CDATA:
> > 
> > http://opensearch.a9.com/docs/devfaq.jsp#html
> > 
> > Since we seem to be using RSS instead of ATOM, I think that means we
> > need a $html{ } around the contents of the description tag.
> If you do, the < and > in the $highlight{...} need to change to
> < and > respectively, or you'll have "double escaped" them.

I think the double escaping is correct.

If we search for "1" and a description is:

1 < 2

Then $highlight produces (assuming we're using <b>...</b> to highlight):

<b>1</b> < 2

And the opensearch response will contain:

<description><b>1</b> &lt; 2</description>

Then the code handling the opensearch response unescapes the contents of
<description> and gets:

<b>1</b> < 2

Which is correct.  If "<" were "<" from $highlight, at this point
we'd have "<b>1</b> < 2" which is broken HTML.

Or am I missing something?

> In theory we can re-work opensearch over Atom, but you get into fiddly
> areas because Atom requires GUIDs. There wasn't enough interest on the
> Atom list to get anywhere with the idea, as far as I can tell (and
> neither Richard nor I have had time).

I think it's been done now - the opensearch site talks about use with
RSS or Atom anyway.

> The opensearch template isn't really finished - it was more a quick
> hack to see how fiddly it would be.

OK, but we really shouldn't be shipping stuff with missing escaping.
That's where XSS security holes come from...


More information about the Xapian-devel mailing list