You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-dev@lucene.apache.org by "Otis Gospodnetic (JIRA)" <ji...@apache.org> on 2006/12/02 06:30:21 UTC
[jira] Commented: (SOLR-74) Cross-site scripting vulnerabilities
[ http://issues.apache.org/jira/browse/SOLR-74?page=comments#action_12455075 ]
Otis Gospodnetic commented on SOLR-74:
--------------------------------------
analysis.jsp is getting changed in SOLR-58, so the last 3 CSS issues will be taken care of there.
> Cross-site scripting vulnerabilities
> ------------------------------------
>
> Key: SOLR-74
> URL: http://issues.apache.org/jira/browse/SOLR-74
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Reporter: Erik Hatcher
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.
> For example, in analysis.jsp: <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values.
> The other affected JSP pages: action.jsp and get-file.jsp
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira