Vue-instantsearch: _highlightResult returns escaped html

Created on 27 Dec 2017  路  4Comments  路  Source: algolia/vue-instantsearch

Hey guys,

I have some data in Algolia which includes HTML content (the field name is called body in the examples below). When I perform a search, the body field from the "_highlightResult" object includes escaped html, which does not allow me to output it via v-html or <ais-highlight>component like so:
<ais-highlight :result="result" attribute-name="body"></ais-highlight>

The body from the result object itself is not escaped (see screenshot - took in Firefox v 57.0.1)

screen shot 2017-12-26 at 8 19 42 pm

Here's the JSON from Algolia dashboard:

{ "_highlightResult": { "title": { "value": "Thread with <em>html</em>", "matchLevel": "full", "fullyHighlighted": false, "matchedWords": [ "html" ] }, "body": { "value": "Hey hey!<br />\r\n<br />\r\nhow is it going?<br />\r\n<br />\r\nhere's a link: <a href=\"https://google.com\" rel=\"nofollow\" target=\"_blank\">https://google.com</a>", "matchLevel": "none", "matchedWords": [] } }

The workaround I use at the moment is by unescaping the body using a custom function, before setting the body with v-html like so:

screen shot 2017-12-26 at 8 32 39 pm

enhancement

Most helpful comment

The problem is that that highlighted values could be invalid HTML if the content is truncated at the wrong position.

We currently have no opt-out option for this but I'm not convinced we need it.
The only use case is if you have a controlled length field with valid HTML that is already secured.

All 4 comments

Hi @vasilestefirta,

The _highlightResult values are always escape by default. Except the highlight tag name (em in your case). I think we do that for security reason, since the value push to Algolia could be some sort of user generated content that's why we enforce the escaping for those attributes.

We can probably think to add an options for disable the auto escaping. Because there are some use cases like yours where it could be interesting to not escape.

cc @Haroenv @bobylito

The problem is that that highlighted values could be invalid HTML if the content is truncated at the wrong position.

We currently have no opt-out option for this but I'm not convinced we need it.
The only use case is if you have a controlled length field with valid HTML that is already secured.

Thanks guys!

Now it makes sense why that happened. I guess I'm going to stick with my workaround for now, but I'm looking forward for an enhancement down the road 馃憤

Hey @vasilestefirta,
Thanks for your support.
The enhancement will probably come from the Algolia API directly.
Until then I'm closing this.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

timkelty picture timkelty  路  5Comments

joshangell picture joshangell  路  6Comments

bobylito picture bobylito  路  4Comments

matthewmnewman picture matthewmnewman  路  6Comments

VinceG picture VinceG  路  6Comments