[
https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781530#action_12781530
]
Hoss Man commented on SOLR-1594:
--------------------------------
bq. So should we leave it up to the appserver to do the right thing or should
Solr be more proactive?
As long as we're relying on the default error page of the servlet container, we
shouldnt' attempt to modify the messages in anyway, becaus that will just screw
things up for servlet containers that do the correct behavior. if there is an
XSS risk, it's caused by the servlet container, and that's where it should be
fixed.
i don't mind putting in work arrounds for specific servlet containers when it
doesn't affect anybody else, but double escaping would defiitely cause problems
for people who have good default error pages in their servlet containers (or
who customize the solr webapp to add their own error page)
we should focus our efforts on something like SOLR-141 instead of trying to
apply html specific sanitizing.
> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
> Key: SOLR-1594
> URL: https://issues.apache.org/jira/browse/SOLR-1594
> Project: Solr
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: Bill Au
> Assignee: Bill Au
> Fix For: 1.5
>
> Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in
> the response. I will attach a patch shortly.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
