lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koji Sekiguchi <>
Subject Re: Confused about highlighting
Date Sat, 21 Aug 2010 02:34:09 GMT
  (10/08/21 9:04), Mark E. Haase wrote:
> I have highlighting working on my project (indexing content for a web app),
> but the idea of highlighting with<em>  tags doesn't make sense to me. It
> seems that it opens up the system to XSS attacks if you echo search result
> data (with highlights) into a web page.
> Example: Index the following string:
> example of malicious script:<script>alert(1)</script>
> Now when I fetch this document from Solr, I will escape it before
> outputting, it, giving me:
> example of malicious script:&lt;script&rt;alert(1)&lt;/script&gt;
> But if I turn highlighting on and the highlight is the<em>  tag, then when I
> search for the word "example" I would get:
> &lt;em&rt;example&lt;/em&rt; of malicious script:
> &lt;script&rt;alert(1)&lt;/script&gt;
> When a browser displays this, it will literally print<em>  tags around the
> word "example" instead of actually visually emphasizing the word.
> Now then, I could escape the text before indexing, but then Solr's index
> would include words like "lt", "rt", and "amp". I can't put these words on
> the stopword list because "amp" is a real word that a user might want to
> search for.
> Any errors in my logic? The only thing I can think to do is to change the
> highlight "pre" and "post" to some non-HTML string and then parse the
> response to replace those with correct HTML tags. But that's definitely
> hacky.
> Thanks,
> Mark

You are right. Luckily, the latest Solr in branch_3x and trunk can accept
Lucene's Encoder. Check out SOLR-2021 and example solrconfig.xml:

HtmlEncoder is set as default in the example solrconfig.xml,
you'll get the following snippet:

<em>example</em> of malicious script: &lt;script&gt;alert(1)&lt;/script&gt;



View raw message