diff --git a/doc/src/sgml/textsearch.sgml b/doc/src/sgml/textsearch.sgml index bde5f391e5c..bf91c23bd11 100644 --- a/doc/src/sgml/textsearch.sgml +++ b/doc/src/sgml/textsearch.sgml @@ -1342,7 +1342,7 @@ ts_headline( config <b> and </b>, which can be suitable - for HTML output. + for HTML output (but see the warning below). @@ -1354,6 +1354,21 @@ ts_headline( config + + Warning: Cross-site scripting (XSS) safety + + The output from ts_headline is not guaranteed to + be safe for direct inclusion in web pages. When + HighlightAll is false (the + default), some simple XML tags are removed from the document, but this + is not guaranteed to remove all HTML markup. Therefore, this does not + provide an effective defense against attacks such as cross-site + scripting (XSS) attacks, when working with untrusted input. To guard + against such attacks, all HTML markup should be removed from the input + document, or an HTML sanitizer should be used on the output. + + + These option names are recognized case-insensitively. You must double-quote string values if they contain spaces or commas. @@ -2225,6 +2240,18 @@ LIMIT 10; Specifically, the only non-alphanumeric characters supported for email user names are period, dash, and underscore. + + + tag does not support all valid tag names as defined by + W3C Recommendation, XML. + Specifically, the only tag names supported are those starting with an + ASCII letter, underscore, or colon, and containing only letters, digits, + hyphens, underscores, periods, and colons. tag also + includes XML comments starting with <!-- and ending + with -->, and XML declarations (but note that this + includes anything starting with <?x and ending with + >). +