You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "David Smiley (Jira)" <ji...@apache.org> on 2022/10/19 15:39:00 UTC

[jira] [Created] (SOLR-16476) Don't need commons-text dependency in solr-core

David Smiley created SOLR-16476:
-----------------------------------

             Summary: Don't need commons-text dependency in solr-core
                 Key: SOLR-16476
                 URL: https://issues.apache.org/jira/browse/SOLR-16476
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: David Smiley


I don't think we +really+ need commons-text in solr-core.  I see it's for only one usage:
https://github.com/apache/solr/blob/c99af207c761ec34812ef1cc3054eb2804b7448b/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java#L83

{noformat}
String[] search = new String[] {"${contextPath}", "${adminPath}", "${version}"};
        String[] replace =
            new String[] {
              StringEscapeUtils.escapeEcmaScript(request.getContextPath()),
              StringEscapeUtils.escapeEcmaScript(CommonParams.CORES_HANDLER_PATH),
              StringEscapeUtils.escapeEcmaScript(pack.getSpecificationVersion())
            };
{noformat}

But contextPath & adminPath are no longer in our admin pages.  "version" is.  Regardless, I don't see why we need to escape EcmaScript; these variables come from internal/validated sources that will not have user provided data that could hack the pages.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org