You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/10/06 16:08:00 UTC
[jira] [Created] (SOLR-15678) Disallow html content-type in
ShowFileRequestHandler
Jan Høydahl created SOLR-15678:
----------------------------------
Summary: Disallow html content-type in ShowFileRequestHandler
Key: SOLR-15678
URL: https://issues.apache.org/jira/browse/SOLR-15678
Project: Solr
Issue Type: Task
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Jan Høydahl
Assignee: Jan Høydahl
ShowFileRequestHandler will return a file from a configSet, and is used in the Admin UI. It returns the file using its proper content type, so browsers will render JSON, XML and plain text correctly. However, for html files (although unllikely in a configset) it is better to render as plain-text in a browser. Both to avoid XSS and since users would want to see the html code, not a rendered page.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org