[
https://issues.apache.org/jira/browse/SOLR-7920?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14699508#comment-14699508
]
Upayavira commented on SOLR-7920:
---------------------------------
[~noble.paul] see above "Commit 1696213 from Upayavira in branch
'dev/branches/lucene_solr_5_3'". I should have waited until 5.3 was complete,
before committing into the _5_3 branch. However, it did sneak in. It was the
smallest of tweaks though, and pretty innocuous.
The only thing is, it isn't in the 5.3 CHANGES.txt section. I'll fix that, but
it won't be in it for this release. IMO, this is no big deal and we should
proceed with the vote as it is currently running.
> Thers is a xss issue in schema-browser page of Admin Web UI.
> ------------------------------------------------------------
>
> Key: SOLR-7920
> URL: https://issues.apache.org/jira/browse/SOLR-7920
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 4.9, 4.10.4, 5.2.1
> Reporter: davidchiu
> Assignee: Upayavira
> Fix For: 5.3, 5.4
>
>
> Open Solr Admin Web UI, select a core(such as collection1) and then click
> "schema-browse",and input a url like
> "http://127.0.0.1:8983/solr/#/collection1/schema-browser?field=cat=<img src=1
> onerror=alert(1);>" to the browser address, you will get alert box with "1".
> I changed follow code to void this problem:
> Original code:
> $( 'option[value="' + params.route_params.path + '"]',
> related_select_element )
> .attr( 'selected', 'selected' );
> Changed code:
> $( 'option[value="' + params.route_params.path.esc() + '"]',
> related_select_element )
> .attr( 'selected', 'selected' );
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
