You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/10/06 16:08:00 UTC

[jira] [Created] (SOLR-15678) Disallow html content-type in ShowFileRequestHandler

Jan Høydahl created SOLR-15678:
----------------------------------

             Summary: Disallow html content-type in ShowFileRequestHandler
                 Key: SOLR-15678
                 URL: https://issues.apache.org/jira/browse/SOLR-15678
             Project: Solr
          Issue Type: Task
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Jan Høydahl
            Assignee: Jan Høydahl


ShowFileRequestHandler will return a file from a configSet, and is used in the Admin UI. It returns the file using its proper content type, so browsers will render JSON, XML and plain text correctly. However, for html files (although unllikely in a configset) it is better to render as plain-text in a browser. Both to avoid XSS and since users would want to see the html code, not a rendered page.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org