Vote count: 0
I'm trying using Algolia instantSearch's highlightResult feature on a React web application. When the results displayed like <em>Re</em>sult, I realized that I would have to mark it as functional HTML using React's Dangerously Set innerHTML to get the tags to work like tags and not be escaped. I can't find a place where Algolia describes their policy for escaping characters in the index and results. I'd prefer not to have to use client-side sanitation to ensure that the only tags in the results are <em>, but I can't afford the possibility of a stored XSS attack. Is the highlightResult string returned by an Algolia search safe to use as HTML without sanitizing first?
asked 20 secs ago
Are the strings in Algolia's highlightResult guaranteed html-safe?
Aucun commentaire:
Enregistrer un commentaire