(james-project) branch master updated: [FIX] Escape HTML before highlights (#2593)

[btellier]

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/master by this push:
     new e25d182931 [FIX] Escape HTML before highlights (#2593)
e25d182931 is described below

commit e25d182931f03990b4c426f72ab47cfd7ce40b5a
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Thu Jan 16 17:23:57 2025 +0100

    [FIX] Escape HTML before highlights (#2593)
    
    Because HTML is extracted prior indexing we need to
    escape it prior to rendering highlights otherwize
    one can inject additional <mark> tags that will get rendered.
---
 .../org/apache/james/mailbox/opensearch/search/OpenSearchSearcher.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git 
a/mailbox/opensearch/src/main/java/org/apache/james/mailbox/opensearch/search/OpenSearchSearcher.java
 
b/mailbox/opensearch/src/main/java/org/apache/james/mailbox/opensearch/search/OpenSearchSearcher.java
index f15d8e1b60..a4144022bf 100644
--- 
a/mailbox/opensearch/src/main/java/org/apache/james/mailbox/opensearch/search/OpenSearchSearcher.java
+++ 
b/mailbox/opensearch/src/main/java/org/apache/james/mailbox/opensearch/search/OpenSearchSearcher.java
@@ -42,6 +42,7 @@ import org.opensearch.client.opensearch._types.Time;
 import org.opensearch.client.opensearch.core.SearchRequest;
 import org.opensearch.client.opensearch.core.search.Highlight;
 import org.opensearch.client.opensearch.core.search.HighlightField;
+import org.opensearch.client.opensearch.core.search.HighlighterEncoder;
 import org.opensearch.client.opensearch.core.search.Hit;
 
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -84,6 +85,7 @@ public class OpenSearchSearcher {
             .build();
 
         this.highlightQuery = new Highlight.Builder()
+            .encoder(HighlighterEncoder.Html)
             .fields(JsonMessageConstants.SUBJECT, highlightField)
             .fields(JsonMessageConstants.TEXT_BODY, highlightField)
             .fields(JsonMessageConstants.HTML_BODY, highlightField)


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org