[ http://issues.apache.org/jira/browse/SOLR-74?page=comments#action_12455075 ] Otis Gospodnetic commented on SOLR-74: --------------------------------------
analysis.jsp is getting changed in SOLR-58, so the last 3 CSS issues will be taken care of there. > Cross-site scripting vulnerabilities > ------------------------------------ > > Key: SOLR-74 > URL: http://issues.apache.org/jira/browse/SOLR-74 > Project: Solr > Issue Type: Bug > Components: web gui > Reporter: Erik Hatcher > > There are a number of cross-site scripting vulnerabilities in the Solr admin > JSP pages, wherever data is being re-displayed as typed by the user. > For example, in analysis.jsp: <textarea class="std" rows="1" cols="70" > name="qval"><%= qval %></textarea> > These need to be modified to HTML escape the values rather than directly > outputting the exact values. > The other affected JSP pages: action.jsp and get-file.jsp -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
