[
https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675526#action_12675526
]
Peter Wolanin commented on SOLR-1031:
-------------------------------------
Drupal ships with a little JS function for sanitizing output (works like the
PHP function htmlspecialchars($text, ENT_QUOTES) ). Possibly you could add
something similar if the text() function doesn't give the desired output:
{code:javascript}
/**
* Encode special characters in a plain-text string for display as HTML.
*/
Drupal.checkPlain = function(str) {
str = String(str);
var replace = { '&': '&', '"': '"', '<': '<', '>': '>' };
for (var character in replace) {
var regex = new RegExp(character, 'g');
str = str.replace(regex, replace[character]);
}
return str;
};
{code}
http://php.net/htmlspecialchars
http://cvs.drupal.org/viewvc.py/drupal/drupal/misc/drupal.js?revision=1.50&view=markup
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that
> javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
