Highlighting uses DefaultEncoder, leading to incorrect HTML escaping

Serge_Nekoval · January 28, 2011, 2:47pm

I noticed that HighlightPhase.java hardcodes the use of
DefaultEncoder, which does not escape the text before adding highlight
tags.
I know that Lucene supports HTML encoding, so is there a chance to
support it in ElasticSearch?

The problem is critical for highlighting plain-text fields. If you
escape a field after highlighting (on client), highlight tags will be
escaped as well. Note that all user-provided content HAS to be escaped
if you display it inside HTML page.

Am I the only one experiencing this problem?

Cory · February 24, 2011, 11:55pm

This is a problem for me also. Did you find a workaround?

-Cory

On Jan 28, 7:47 am, Serge Nekoval neko...@gmail.com wrote:

I noticed that HighlightPhase.java hardcodes the use ofDefaultEncoder, which does not escape the text before adding highlight
tags.
I know that Lucene supports HTML encoding, so is there a chance to
support it in Elasticsearch?

The problem is critical for highlighting plain-text fields. If you
escape a field after highlighting (on client), highlight tags will be
escaped as well. Note that all user-provided content HAS to be escaped
if you display it inside HTML page.

Am I the only one experiencing this problem?

Topic		Replies	Views
HTML_strip / highlight combo limitations? Elasticsearch	3	857	July 6, 2017
Elasticsearch Highlight the result of script fields Elasticsearch	3	554	November 6, 2022
Extension point for custom highlight logic Elasticsearch	7	380	July 6, 2017
Highlight fragments of fields that use the html_strip char filter still contain HTML tags Elasticsearch	4	18	August 27, 2024
Can I search for special characters highlight in Elastic? Elasticsearch	1	448	July 27, 2020

Highlighting uses DefaultEncoder, leading to incorrect HTML escaping

Related Topics