lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Updated] (SOLR-11468) Missing output encoding in file viewer component on admin UI
Date Thu, 13 Dec 2018 17:44:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-11468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Høydahl updated SOLR-11468:
-------------------------------
    Fix Version/s:     (was: 7.5.1)

> Missing output encoding in file viewer component on admin UI
> ------------------------------------------------------------
>
>                 Key: SOLR-11468
>                 URL: https://issues.apache.org/jira/browse/SOLR-11468
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 7.0.1
>            Reporter: Arpad Ilia
>            Priority: Major
>              Labels: security
>         Attachments: SOLR-11468.patch
>
>
> When viewing the contents of a file in "Files", if the file is not an xml (e.g. is a
txt) and contains a script, the script will run.
> Example: create a file called 'demo.txt' in one of the cores with the following contents:
> <script>alert("JavaScript")</script>
> When viewing the file on the admin UI a popup will display (indicating that the javascript
code was executed) instead of the script being displayed as text.
> This is the part of the files.html which is problematic:
> <code ng-bind-html="content | highlight:lang | unsafe"></code>
> Seems to affect all versions with the new (angular) UI.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message