You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-dev@lucene.apache.org by "Otis Gospodnetic (JIRA)" <ji...@apache.org> on 2006/12/02 06:30:21 UTC

[jira] Commented: (SOLR-74) Cross-site scripting vulnerabilities

    [ http://issues.apache.org/jira/browse/SOLR-74?page=comments#action_12455075 ] 
            
Otis Gospodnetic commented on SOLR-74:
--------------------------------------

analysis.jsp is getting changed in SOLR-58, so the last 3 CSS issues will be taken care of there.

> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values. 
> The other affected JSP pages: action.jsp and get-file.jsp

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira