lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Hatcher <e...@ehatchersolutions.com>
Subject Re: Lucene code review
Date Sat, 16 Dec 2006 10:13:17 GMT

On Dec 16, 2006, at 3:44 AM, Chris Hostetter wrote:
> : what they were).  Solr had cross-site scripting issues in its JSP
> : pages, which I think are now all fixed (?).
>
> SOLR-74, just resolved.
>
> I don't know if i'd really call them XSS issues: they are on the admin
> pages; if a malicious user has access to them, you've got bigger  
> problems
> then them trying XSS exploits.

I concur.  But, at the very least by fixing this, users input won't  
mangle the output page with unescaped HTML.  For example, a query of  
"</html>" would probably have screwed up the output.

	Erik



---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org


Mime
View raw message