lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erick Erickson (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Tue, 03 Dec 2019 14:25:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986947#comment-16986947
] 

Erick Erickson commented on SOLR-13987:
---------------------------------------

There was some discussion on SOLR-12276. Part of the discussion is whether to migrate to Angular2
or a completely different framework. IDK whether Angular2 suffers the same vulnerabilities
or not or even whether it's really easier than a new framework...

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message