generating page description from summary shouldn't use | safe #537
Description
System information
Zola version: 0.20.0
Tabi commit 2499387
Page description generated from summary can be used to inject data into <meta name="description"> and <meta name="og:description"> tags
Expected behaviour
generating page description from summary should not allow injections into tags
Actual behaviour
Stripping tags is not enough - quotes are not stripped and can be abused here. Please see "Steps to reproduce".
Steps to reproduce
sample blog post demonstrating the issue
---
title: hi
date: 2025-06-16
---
" onbeforetoggle='alert(1)'
<!-- more -->This is not executed because of CSP, but the content is visible in generated html, injected into <meta name="description"> (and og:description).
Additional context
I believe the fix would be to remove | safe from header.html, like so:
diff --git a/templates/partials/header.html b/templates/partials/header.html
index ada1f23..c2c6be1 100644
--- a/templates/partials/header.html
+++ b/templates/partials/header.html
@@ -92,8 +92,8 @@
<meta name="description" content="{{ section.description }}" />
<meta property="og:description" content="{{ section.description }}" />
{%- elif page.summary %}
- <meta name="description" content="{{ page.summary | striptags | trim_end_matches(pat=".") | safe }}…" />
- <meta property="og:description" content="{{ page.summary | striptags | trim_end_matches(pat=".") | safe }}…" />
+ <meta name="description" content="{{ page.summary | striptags | trim_end_matches(pat=".") }}…" />
+ <meta property="og:description" content="{{ page.summary | striptags | trim_end_matches(pat=".") }}…" />
{%- else %}
<meta name="description" content="{{ config.description }}" />
<meta property="og:description" content="{{ config.description }}" />Final checklist
- I've checked that the issue isn't already reported.
- I've tested with the latest version of tabi to check if the issue has already been fixed.