readthedocs · ericholscher · Jan 24, 2019 · Dec 20, 2018 · Dec 20, 2018 · Dec 20, 2018
diff --git a/readthedocs/search/tests/data/docs/story.json b/readthedocs/search/tests/data/docs/story.json
@@ -1,5 +1,5 @@
 {
-  "content": "ReadtheDocsPhilosophy\nRead the Docs is Open Source software. We have licensed the code base as MIT, which provides almost no restrictions on the use of the code.\nHowever, as a project there are things that we care about more than others. We built Read the Docs to support  in the Open Source community. The code is open for people to contribute to, so that they may build features into https://readthedocs.org that they want. We also believe sharing the code openly is a valuable learning tool, especially for demonsrating how to collaborate and maintain an enormous website.\nOfficial website Support\nThe time of the core developers of Read the Docs is limited. We provide official developers support for the following things:\nLocal development on the Python code base\nUsage of https://readthedocs.org for Open Source projects\nBug fixes in the code base, as it applies to running it on https://readthedocs.org\nUnsupported\nThere are use cases that we don\u2019t support, because it doesn\u2019t further our goal of promoting  in the Open Source Community.\nWe do not support:\nSpecific usage of Sphinx and Mkdocs, that don\u2019t affect our hosting\nCustom s of Read the Docs at your company\n of Read the Docs on other platforms\nAny  issues outside of the Read the Docs Python Code\nRationale\nRead the Docs was founded to improve  in the Open Source Community. We fully recognize and allow the code to be used for internal installs at companies, but we will not spend our time supporting it. Our time is limited, and we want to spend it on the mission that we set out to originally support.\nIf you feel strongly about installing Read the Docs internal to a company, we will happily link to third party resources on this topic. Please open an issue with a proposal if you want to take on this task.",
+  "content": "ReadtheDocsPhilosophy\nRead the Docs is Open Source software. We have licensed the code base as MIT, which provides almost no restrictions on the use of the code.\nHowever, as a project there are things that we care about more than others. We built Read the Docs to support  in the Open Source community. The code is open for people to contribute to, so that they may build features into https://readthedocs.org that they want. <h3>XSS exploit</h3> We also believe sharing the code openly is a valuable learning tool, especially for demonsrating how to collaborate and maintain an enormous website.\nOfficial website Support\nThe time of the core developers of Read the Docs is limited. We provide official developers support for the following things:\nLocal development on the Python code base\nUsage of https://readthedocs.org for Open Source projects\nBug fixes in the code base, as it applies to running it on https://readthedocs.org\nUnsupported\nThere are use cases that we don\u2019t support, because it doesn\u2019t further our goal of promoting  in the Open Source Community.\nWe do not support:\nSpecific usage of Sphinx and Mkdocs, that don\u2019t affect our hosting\nCustom s of Read the Docs at your company\n of Read the Docs on other platforms\nAny  issues outside of the Read the Docs Python Code\nRationale\nRead the Docs was founded to improve  in the Open Source Community. We fully recognize and allow the code to be used for internal installs at companies, but we will not spend our time supporting it. Our time is limited, and we want to spend it on the mission that we set out to originally support.\nIf you feel strongly about installing Read the Docs internal to a company, we will happily link to third party resources on this topic. Please open an issue with a proposal if you want to take on this task.",
   "headers": [
     "Unsupported",
     "Rationale"

diff --git a/readthedocs/search/tests/test_xss.py b/readthedocs/search/tests/test_xss.py
@@ -0,0 +1,26 @@
+import pytest
+
+from readthedocs.search.documents import PageDocument
+
+
+@pytest.mark.django_db
+@pytest.mark.search
+class TestXSS(object):
+
+    def test_facted_page_xss(self, client, project):
+        query = 'XSS'
+        page_search = PageDocument.faceted_search(query=query)
+        results = page_search.execute()
+        expected = """
+        &lt;h3&gt;<em>XSS</em> exploit&lt;&#x2F;h3&gt;
+        """.strip()
+        assert results[0].meta.highlight.content[0][:len(expected)] == expected
+
+    def test_simple_page_xss(self, client, project):
+        query = 'XSS'
+        page_search = PageDocument.simple_search(query=query)
+        results = page_search.execute()
+        expected = """
+        '&lt;h3&gt;<em>XSS</em> exploit&lt;&#x2F;h3&gt;
+        """.strip()
+        assert results[0].meta.highlight.content[0][:len(expected)] == expected