Remove |safe filter from 6 template locations where data from external
search engine APIs was rendered as raw HTML without sanitization. Jinja2
autoescape now properly escapes these fields.
The |safe filter was originally added in commit 213041adc (March 2021)
by copying the pattern from result.title|safe and result.content|safe.
However, title and content are pre-escaped via escape() in webapp.py
lines 704-706 before highlight_content() adds trusted <span> tags for
search term highlighting. The metadata, info.value, link.url_label,
repository, and filename fields never go through any escaping and flow
directly from external API responses to the template.
Affected templates and their untrusted data sources:
- macros.html: result.metadata from DuckDuckGo, Reuters, Presearch,
Podcast Index, Fyyd, bpb, moviepilot, mediawiki, and others
- paper.html: result.metadata from academic search engines
- map.html: info.value and link.url_label from OpenStreetMap
user-contributed extratags
- code.html: result.repository and result.filename from GitHub API
Example exploit: a search engine API returning
metadata='<img src=x onerror=alert(document.cookie)>' would execute
arbitrary JavaScript in every user's browser viewing that result.
This patch implements the template generation of the template:
searx/templates/simple/icons.html
by the way the icon set (the icon names) has been normalized:
film-outline --> film
magnet-outline --> magnet
..
warning --> alert
Some missing (categorie) icons had been added.
Some of the ionicons are not suitable for a dark theme, we fixed the svg
manually in src/svg/ionicons:
- https://github.com/searxng/searxng/pull/4284#issuecomment-2680550342
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
* update from ionicons-npm to ionicons ver.5
* drop the webfont built by grunt for icons
* built icons.html template for inlining icons with jinja2 into html
* update icon to use mostly the outline version
* add icons to categories and do not display them on mobile to save space
* remove all legacy ion icon font files from simple theme
* icons.html is added in this commit since make statc.build.restore requires git to know the file already
* cleanup error-dialog
- npm package update
- apply #1226
- implement vim help dialog
- display cookies and search URL with preferences
- allow to enable / disable Open Access DOI rewrite
- add a clear text button on the left of the search button
- implement #1011 : the HTML title page is not set when using POST
- remove searx/static/themes/simple/img/loader.gif
- use full width when only there are only images as result
