lucene-solr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Solr Wiki] Update of "SolrSecurity" by TomGullo
Date Thu, 18 Nov 2010 14:23:34 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Solr Wiki" for change notification.

The "SolrSecurity" page has been changed by TomGullo.
http://wiki.apache.org/solr/SolrSecurity?action=diff&rev1=16&rev2=17

--------------------------------------------------

  
  Solr has no known [[http://en.wikipedia.org/wiki/Cross-site_scripting|cross-site scripting
vulnerabilities]].
  
+ What if you want the browser to indicate highlighted text, but you also want to protect
yourself from XSS and escape the HTML output.  One way to to  is to escape the HTML output
and then reapply the em tags for highlighting. 
+ 
+ For example, with groovy/grails you could have the following in your controller:
+ {{{
+ snippetToDisplay.encodeAsHTML()
+ snippetToDisplay.replaceAll('&lt;em&gt;', '<em>')
+ snippetToDisplay.replaceAll('&lt;/em&gt;', </em>)
+ }}}
  == Cross-Site Request Forgery (CSRF) ==
  
  Even if a Solr instance is protected by good firewalls so that "bad guys" have no direct
access, that instance may be at risk to potential "[[http://en.wikipedia.org/wiki/Cross-site_request_forgery|Cross-Site
Request Forgery]]" based attacks if the following are all true:

Mime
View raw message