[ https://issues.apache.org/jira/browse/SOLR-7949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15025439#comment-15025439 ]
Upayavira commented on SOLR-7949: --------------------------------- [~mceli] from the fix version, it looks like it was resolved in 5.3.1, so yes, it is in 5.3.0. > Thers is a xss issue in plugins/stats page of Admin Web UI. > ----------------------------------------------------------- > > Key: SOLR-7949 > URL: https://issues.apache.org/jira/browse/SOLR-7949 > Project: Solr > Issue Type: Bug > Components: web gui > Affects Versions: 4.9, 4.10.4, 5.2.1 > Reporter: davidchiu > Assignee: Jan Høydahl > Fix For: 5.4, 5.3.1, Trunk > > > Open Solr Admin Web UI, select a core(such as collection1) and then click > "Plugins/stats",and type a url like > "http://127.0.0.1:8983/solr/#/collection1/plugins/cache?entry=score=<img > src=1 onerror=alert(1);> to the browser address, you will get alert box with > "1". > I changed follow code to resolve this problem: > The Original code: > for( var i = 0; i < entry_count; i++ ) > { > $( 'a[data-bean="' + entries[i] + '"]', frame_element ) > .parent().addClass( 'expanded' ); > } > The Changed code: > for( var i = 0; i < entry_count; i++ ) > { > $( 'a[data-bean="' + entries[i].esc() + '"]', frame_element ) > .parent().addClass( 'expanded' ); > } -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org