disable echoParam completely for security issues

[abhayd <aj...@hotmail.com>]

hi 
I already know abt echoParam=none in request parameter and setting in solr
config file. 

But even if i specify "none" in config file, request parameter overrides it.
Echo back to browser has some issues.

For instance rows parameter accepts script tag and echo back actually runs
the script in browser.

Anyway to set echoParams=none and ignore request parameter? 



--
View this message in context: http://lucene.472066.n3.nabble.com/disable-echoParam-completely-for-security-issues-tp3414411p3414411.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: disable echoParam completely for security issues

[abhayd <aj...@hotmail.com>]

gr8 that worked!!


--
View this message in context: http://lucene.472066.n3.nabble.com/disable-echoParam-completely-for-security-issues-tp3414411p3414859.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: disable echoParam completely for security issues

[Chris Hostetter <ho...@fucit.org>]

: But even if i specify "none" in config file, request parameter overrides it.
: Echo back to browser has some issues.

the request params only override things specified in the requestHandler 
definition if they are listed as "defaults" you can also specify 
"invariants" that are used no matter what the request params say ... there 
are examples of this in the example solrconfig.xml and on the wiki...

https://wiki.apache.org/solr/SearchHandler?highlight=%28invariants%29#Configuration


-Hoss