You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Aaron LaBella (Jira)" <ji...@apache.org> on 2021/12/16 16:32:00 UTC
[jira] [Commented] (SOLR-15678) Disallow html content-type in ShowFileRequestHandler
[ https://issues.apache.org/jira/browse/SOLR-15678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460857#comment-17460857 ]
Aaron LaBella commented on SOLR-15678:
--------------------------------------
This change broke the solr admin Files section, namely because:
# MimeTypes.getKnownContentTypes() method doesn't include text/xml and the files.js angular controller uses that content type
# The files.js JS controller also passes ;charset=utf-8 which the new method wasn't properly supporting
Attached is a PATCH that resolves the issue. Please apply as soon as possible.[^0001-account-for-missing-text-xml-content-type.patch]
> Disallow html content-type in ShowFileRequestHandler
> ----------------------------------------------------
>
> Key: SOLR-15678
> URL: https://issues.apache.org/jira/browse/SOLR-15678
> Project: Solr
> Issue Type: Task
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: 8.11
>
> Attachments: 0001-account-for-missing-text-xml-content-type.patch
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> ShowFileRequestHandler will return a file from a configSet, and is used in the Admin UI. It returns the file using its proper content type, so browsers will render JSON, XML and plain text correctly. However, for html files (although unllikely in a configset) it is better to render as plain-text in a browser. Both to avoid XSS and since users would want to see the html code, not a rendered page.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org