[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch included)
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-1031: --- Fix Version/s: 1.4 > XSS vulnerability in schema.jsp (patch included) > > > Key: SOLR-1031 > URL: https://issues.apache.org/jira/browse/SOLR-1031 > Project: Solr > Issue Type: Bug > Components: web gui >Affects Versions: 1.2, 1.3 >Reporter: Paul Lovvik > Fix For: 1.4 > > Attachments: SchemaXSS.patch, SOLR-1031.patch > > > If javascript is embedded in any of the fields, it is possible for that > javascript to be executed when viewing the schema. > The javascript will appear in the "Top Terms" part of the UI. > I have created a simple patch to prevent this problem from occurring. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch included)
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Peter Wolanin updated SOLR-1031: Attachment: SOLR-1031.patch > XSS vulnerability in schema.jsp (patch included) > > > Key: SOLR-1031 > URL: https://issues.apache.org/jira/browse/SOLR-1031 > Project: Solr > Issue Type: Bug > Components: web gui >Affects Versions: 1.2, 1.3 >Reporter: Paul Lovvik > Attachments: SchemaXSS.patch, SOLR-1031.patch > > > If javascript is embedded in any of the fields, it is possible for that > javascript to be executed when viewing the schema. > The javascript will appear in the "Top Terms" part of the UI. > I have created a simple patch to prevent this problem from occurring. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch included)
[
https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Lovvik updated SOLR-1031:
--
Description:
If javascript is embedded in any of the fields, it is possible for that
javascript to be executed when viewing the schema.
The javascript will appear in the "Top Terms" part of the UI.
I have created a simple patch to prevent this problem from occurring.
was:
If javascript is embedded in any of the fields, it is possible for that
javascript to be executed when viewing the schema.
The javascript will appear in the "Top Terms" part of the UI.
I have created a simple patch to prevent this problem from occurring.
Hmmm... I apparently can't attach the patch, so here is the patch text:
Index: src/webapp/web/admin/schema.jsp
===
--- src/webapp/web/admin/schema.jsp (revision 746406)
+++ src/webapp/web/admin/schema.jsp (working copy)
@@ -490,14 +490,10 @@
var numTerms = 0;
$.each(topTerms, function(term, count) {
- var row = document.createElement('tr');
- var c1 = document.createElement('td');
- c1.innerHTML=term;
- var c2 = document.createElement('td');
- c2.innerHTML=count;
- row.appendChild(c1);
- row.appendChild(c2);
- tbody.appendChild(row);
+ var c1 = $('').text(term);
+ var c2 = $('').text(count);
+ var row = $('').append(c1).append(c2);
+ tbody.appendChild(row.get(0));
numTerms++;
});
tbl.appendChild(tbody);
> XSS vulnerability in schema.jsp (patch included)
>
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
>Affects Versions: 1.2, 1.3
>Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that
> javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch included)
[
https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Lovvik updated SOLR-1031:
--
Attachment: SchemaXSS.patch
Here is the patch.
> XSS vulnerability in schema.jsp (patch included)
>
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
>Affects Versions: 1.2, 1.3
>Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that
> javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
> Hmmm... I apparently can't attach the patch, so here is the patch text:
> Index: src/webapp/web/admin/schema.jsp
> ===
> --- src/webapp/web/admin/schema.jsp (revision 746406)
> +++ src/webapp/web/admin/schema.jsp (working copy)
> @@ -490,14 +490,10 @@
>
> var numTerms = 0;
> $.each(topTerms, function(term, count) {
> - var row = document.createElement('tr');
> - var c1 = document.createElement('td');
> - c1.innerHTML=term;
> - var c2 = document.createElement('td');
> - c2.innerHTML=count;
> - row.appendChild(c1);
> - row.appendChild(c2);
> - tbody.appendChild(row);
> + var c1 = $('').text(term);
> + var c2 = $('').text(count);
> + var row = $('').append(c1).append(c2);
> + tbody.appendChild(row.get(0));
>numTerms++;
> });
> tbl.appendChild(tbody);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
