You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-dev@lucene.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2006/12/16 09:42:21 UTC

[jira] Resolved: (SOLR-74) Cross-site scripting vulnerabilities

     [ http://issues.apache.org/jira/browse/SOLR-74?page=all ]

Hoss Man resolved SOLR-74.
--------------------------

    Resolution: Fixed

I made the neccessary changes to action.jsp, and analysis.jsp as well (since the analysys.jsp changes in SOLR-58 were rolled back recently)

i didn't modify get-file.jsp -- it's mime type is explicitly text/plain, so there's nothing to escape. 

> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>         Assigned To: Hoss Man
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values. 
> The other affected JSP pages: action.jsp and get-file.jsp

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira