Security issue with the _formatted attribute ( highlight )

[TiagoJacobs]

Describe the bug
When you do a search and require to highlight the terms that matched, an HTML tag <em> is added.
This force the applications to render the result from MailiSearch as HTML.
If a user insert a malicious HTML code, it will get executed.
MailiSearch should escape ( something similar to what php's htmlentities function does ).

Example:

Sample search: xuxu

Sample content:

ximira <script>alert('xablau')</script> xuxu

Highlighted content ( from a malicious user ):

ximira <script>alert('xablau')</script> <em>xuxu</em>

Expected highlighted content:

ximira &lt;script&gt;alert('xablau')&lt;/script&gt; <em>xuxu</em>

This means that web applications using the highlighted output will only evaluate tags generated by MeiliSearch.

[gmourier]

Hello @TiagoJacobs 👋

For the moment we have chosen to let the sanitization work to the choice of the user on the client-side according to his use case.

Here is an issue that will give more details about that choice. meilisearch/meilisearch#1409

It is possible that we will change this behavior later. I will move this issue to our product repository discussions space so that we can discuss this topic and other users can join and vote for the best proposals/messages 🗣

[TiagoJacobs]

hello @gmourier, thanks for this fast answer

As far as I understand, this software is ingesting plain text, which I think it's a good idea.

Being the indexed data a plain text, it should be HTML escaped whenever you produce an HTML output ( in this specific case, during the highlight process ).

It's not only about sanitization, it's about generating a valid HTML, imagine that you have a forum discussion and someone post this:

Hello teacher, if a=2, b=9, is it correct to say that b>a?

Indexing this question using meilisearch would be ok, but rendering the result would not be OK, because it would produce an invalid HTML.

For example, if you searched by the word teacher, the highlighted result would be:

Hello <em>teacher</em>, if a=2, b=9, is it correct to say that b>a?

As you can see, the > is going to be considered as HTML by the browser...

So I strongly believe it's a mistake to not encode HTML during the highlight process.

Let me know in case of any questions.