[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675526#action_12675526 ]
Peter Wolanin commented on SOLR-1031: ------------------------------------- Drupal ships with a little JS function for sanitizing output (works like the PHP function htmlspecialchars($text, ENT_QUOTES) ). Possibly you could add something similar if the text() function doesn't give the desired output: {code:javascript} /** * Encode special characters in a plain-text string for display as HTML. */ Drupal.checkPlain = function(str) { str = String(str); var replace = { '&': '&', '"': '"', '<': '<', '>': '>' }; for (var character in replace) { var regex = new RegExp(character, 'g'); str = str.replace(regex, replace[character]); } return str; }; {code} http://php.net/htmlspecialchars http://cvs.drupal.org/viewvc.py/drupal/drupal/misc/drupal.js?revision=1.50&view=markup > XSS vulnerability in schema.jsp (patch included) > ------------------------------------------------ > > Key: SOLR-1031 > URL: https://issues.apache.org/jira/browse/SOLR-1031 > Project: Solr > Issue Type: Bug > Components: web gui > Affects Versions: 1.2, 1.3 > Reporter: Paul Lovvik > Attachments: SchemaXSS.patch, SOLR-1031.patch > > > If javascript is embedded in any of the fields, it is possible for that > javascript to be executed when viewing the schema. > The javascript will appear in the "Top Terms" part of the UI. > I have created a simple patch to prevent this problem from occurring. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.