Skip to content

Don't mark striptags output as safe in search results#3048

Open
apoorva-01 wants to merge 1 commit into
python:mainfrom
apoorva-01:search-description-escape-safe
Open

Don't mark striptags output as safe in search results#3048
apoorva-01 wants to merge 1 commit into
python:mainfrom
apoorva-01:search-description-escape-safe

Conversation

@apoorva-01

Copy link
Copy Markdown

Description

The search result templates run result.description through |safe, but that's striptags output, which the docs say to never mark safe. Went with the fix from the issue: html.unescape(striptags(...)) in the prepare_description methods so the indexed value is real plain text, then dropped |safe and let autoescaping handle it. Renders the same.

Old index entries stay entity-encoded until a rebuild_index, so that'll need a reindex on deploy. And pages.page.html doesn't actually use description|safe, so that one's just for consistency.

Closes

striptags output isn't HTML-safe, so |safe on it is exactly what Django's
docs warn against. Dropping |safe alone would double-escape (strip_tags
leaves entities encoded), so unescape the description at index time and
let autoescaping do the work.
@apoorva-01 apoorva-01 requested a review from JacobCoffee as a code owner July 8, 2026 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Search result templates apply |safe to striptags output

1 participant