![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
[dreamwidth/dreamwidth] 94b83b: Escape support search results to prevent HTML inje...
Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: 94b83b855d4edfab9ad70492e79d0f31a81256f7 https://github.com/dreamwidth/dreamwidth/commit/94b83b855d4edfab9ad70492e79d0f31a81256f7 Author: Mark Smith mark@dreamwidth.org Date: 2026-05-24 (Sun, 24 May 2026)
Changed paths: M cgi-bin/DW/Search.pm
Log Message:
Escape support search results to prevent HTML injection
enrichsupport used the raw supportlog message as the excerpt source and the raw request subject/category for display, all of which the support/search.tt template prints unfiltered. A support request body containing markup (e.g. a clickjacking report with /) was emitted verbatim into the results page. Strip HTML from the message before CALL SNIPPETS (leaving only the highlight tags) and LJ::ehtml the subject and category, matching the journal search's data-layer sanitization.
The legacy Sphinx worker's buildoutput_support has the same hole; left for the Sphinx-removal cleanup.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com
To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications