mirror of
https://github.com/searxng/searxng.git
synced 2026-05-07 18:03:51 +02:00
Renaud Allard
23fb76f08f
Remove |safe filter from 6 template locations where data from external
search engine APIs was rendered as raw HTML without sanitization. Jinja2
autoescape now properly escapes these fields.
The |safe filter was originally added in commit 213041adc (March 2021)
by copying the pattern from result.title|safe and result.content|safe.
However, title and content are pre-escaped via escape() in webapp.py
lines 704-706 before highlight_content() adds trusted <span> tags for
search term highlighting. The metadata, info.value, link.url_label,
repository, and filename fields never go through any escaping and flow
directly from external API responses to the template.
Affected templates and their untrusted data sources:
- macros.html: result.metadata from DuckDuckGo, Reuters, Presearch,
Podcast Index, Fyyd, bpb, moviepilot, mediawiki, and others
- paper.html: result.metadata from academic search engines
- map.html: info.value and link.url_label from OpenStreetMap
user-contributed extratags
- code.html: result.repository and result.filename from GitHub API
Example exploit: a search engine API returning
metadata='<img src=x onerror=alert(document.cookie)>' would execute
arbitrary JavaScript in every user's browser viewing that result.
.. SPDX-License-Identifier: AGPL-3.0-or-later .. _metasearch engine: https://en.wikipedia.org/wiki/Metasearch_engine .. _Installation guide: https://docs.searxng.org/admin/installation.html .. _Configuration guide: https://docs.searxng.org/admin/settings/index.html .. _CONTRIBUTING: https://github.com/searxng/searxng/blob/master/CONTRIBUTING.rst .. _LICENSE: https://github.com/searxng/searxng/blob/master/LICENSE .. figure:: https://raw.githubusercontent.com/searxng/searxng/master/client/simple/src/brand/searxng.svg :target: https://searxng.org :alt: SearXNG :width: 512px SearXNG is a `metasearch engine`_. Users are neither tracked nor profiled. .. image:: https://img.shields.io/badge/organization-3050ff?style=flat-square&logo=searxng&logoColor=fff&cacheSeconds=86400 :target: https://github.com/searxng :alt: Organization .. image:: https://img.shields.io/badge/documentation-3050ff?style=flat-square&logo=readthedocs&logoColor=fff&cacheSeconds=86400 :target: https://docs.searxng.org :alt: Documentation .. image:: https://img.shields.io/github/license/searxng/searxng?style=flat-square&label=license&color=3050ff&cacheSeconds=86400 :target: https://github.com/searxng/searxng/blob/master/LICENSE :alt: License .. image:: https://img.shields.io/github/commit-activity/y/searxng/searxng/master?style=flat-square&label=commits&color=3050ff&cacheSeconds=3600 :target: https://github.com/searxng/searxng/commits/master/ :alt: Commits .. image:: https://img.shields.io/weblate/progress/searxng?server=https%3A%2F%2Ftranslate.codeberg.org&style=flat-square&label=translated&color=3050ff&cacheSeconds=86400 :target: https://translate.codeberg.org/projects/searxng/ :alt: Translated Setup ===== To install SearXNG, see `Installation guide`_. To fine-tune SearXNG, see `Configuration guide`_. Further information on *how-to* can be found `here <https://docs.searxng.org/admin/index.html>`_. Connect ======= If you have questions or want to connect with others in the community: - `#searxng:matrix.org <https://matrix.to/#/#searxng:matrix.org>`_ Contributing ============ See CONTRIBUTING_ for more details. License ======= This project is licensed under the GNU Affero General Public License (AGPL-3.0). See LICENSE_ for more details.