lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark E. Haase" <meha...@gmail.com>
Subject Confused about highlighting
Date Sat, 21 Aug 2010 00:04:51 GMT
I have highlighting working on my project (indexing content for a web app),
but the idea of highlighting with <em> tags doesn't make sense to me. It
seems that it opens up the system to XSS attacks if you echo search result
data (with highlights) into a web page.

Example: Index the following string:

example of malicious script: <script>alert(1)</script>


Now when I fetch this document from Solr, I will escape it before
outputting, it, giving me:

example of malicious script: &lt;script&rt;alert(1)&lt;/script&gt;


But if I turn highlighting on and the highlight is the <em> tag, then when I
search for the word "example" I would get:

&lt;em&rt;example&lt;/em&rt; of malicious script:
&lt;script&rt;alert(1)&lt;/script&gt;

When a browser displays this, it will literally print <em> tags around the
word "example" instead of actually visually emphasizing the word.

Now then, I could escape the text before indexing, but then Solr's index
would include words like "lt", "rt", and "amp". I can't put these words on
the stopword list because "amp" is a real word that a user might want to
search for.

Any errors in my logic? The only thing I can think to do is to change the
highlight "pre" and "post" to some non-HTML string and then parse the
response to replace those with correct HTML tags. But that's definitely
hacky.

Thanks,
Mark

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message