diff --git a/doc/src/sgml/textsearch.sgml b/doc/src/sgml/textsearch.sgml index 9f48b2c3d5a..ca5ff90a111 100644 --- a/doc/src/sgml/textsearch.sgml +++ b/doc/src/sgml/textsearch.sgml @@ -1339,7 +1339,7 @@ ts_headline( config <b> and </b>, which can be suitable - for HTML output. + for HTML output (but see the warning below). @@ -1351,6 +1351,21 @@ ts_headline( config + + Warning: Cross-site scripting (XSS) safety + + The output from ts_headline is not guaranteed to + be safe for direct inclusion in web pages. When + HighlightAll is false (the + default), some simple XML tags are removed from the document, but this + is not guaranteed to remove all HTML markup. Therefore, this does not + provide an effective defense against attacks such as cross-site + scripting (XSS) attacks, when working with untrusted input. To guard + against such attacks, all HTML markup should be removed from the input + document, or an HTML sanitizer should be used on the output. + + + These option names are recognized case-insensitively. You must double-quote string values if they contain spaces or commas. @@ -2218,9 +2233,21 @@ LIMIT 10; email does not support all valid email characters as - defined by RFC 5322. Specifically, the only non-alphanumeric - characters supported for email user names are period, dash, and - underscore. + defined by RFC 5322. + Specifically, the only non-alphanumeric characters supported for + email user names are period, dash, and underscore. + + + + tag does not support all valid tag names as defined by + W3C Recommendation, XML. + Specifically, the only tag names supported are those starting with an + ASCII letter, underscore, or colon, and containing only letters, digits, + hyphens, underscores, periods, and colons. tag also + includes XML comments starting with <!-- and ending + with -->, and XML declarations (but note that this + includes anything starting with <?x and ending with + >).