[Xapian-devel] opensearch template
Olly Betts
olly at survex.com
Tue Jan 3 17:00:26 GMT 2006
I've just noticed the Omega "opensearch" template seems to lack escaping
for URLs in <link> tags:
$httpheader{Content-Type,application/xml}<?xml version="1.0"?>
<rss version="2.0" xmlns:openSearch="http://a9.com/-/spec/opensearchrss/1.0/">
<channel>
<title>Xapian search results</title>
<link>$env{SCRIPT_NAME}?DB=$dbname&P=$html{$query}</link>
<description>Search results for "$html{$query}" at xapian.org</description>
<language>en</language>
<copyright>(C)2005, Xapian.org</copyright>
<openSearch:totalResults>$msize</openSearch:totalResults>
<openSearch:startIndex>$add{topdoc,1}</openSearch:startIndex>
<openSearch:itemsPerPage>$hitsperpage</openSearch:itemsPerPage>
$hitlist{
<item>
<title>$html{$or{$field{title},$field{caption}}}</title>
<link>$field{url}</link>
<description>$highlight{$field{sample},$terms,<strong>,</strong>}$if{$field{sample},...}</description>
</item>}
</channel>
</rss>
Surely $field{url} needs some sort of escaping? Also, we aren't
escaping $env{SCRIPT_NAME} or $dbname in the <channel>'s <link> tag.
Sadly, the opensearch spec doesn't really seem cover the format of
URLs in <link> tags, but the "&" in the <channel>'s <link> makes
me suspect that $html{ } is the right answer.
But reading the spec, it does say that any HTML in the description tag
should be escaped once, or enclosed as CDATA:
http://opensearch.a9.com/docs/devfaq.jsp#html
Since we seem to be using RSS instead of ATOM, I think that means we
need a $html{ } around the contents of the description tag.
Cheers,
Olly
More information about the Xapian-devel
mailing list