[
https://issues.apache.org/jira/browse/SOLR-11468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cassandra Targett updated SOLR-11468:
-------------------------------------
Security: Public (was: Private (Security Issue))
Changing the issue to public, since there is consensus by the PMC it's not a
security vulnerability.
> Missing output encoding in file viewer component on admin UI
> ------------------------------------------------------------
>
> Key: SOLR-11468
> URL: https://issues.apache.org/jira/browse/SOLR-11468
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI
> Affects Versions: 7.0.1
> Reporter: Arpad Ilia
> Priority: Major
> Labels: security
> Fix For: 7.5.1
>
> Attachments: SOLR-11468.patch
>
>
> When viewing the contents of a file in "Files", if the file is not an xml
> (e.g. is a txt) and contains a script, the script will run.
> Example: create a file called 'demo.txt' in one of the cores with the
> following contents:
> <script>alert("JavaScript")</script>
> When viewing the file on the admin UI a popup will display (indicating that
> the javascript code was executed) instead of the script being displayed as
> text.
> This is the part of the files.html which is problematic:
> <code ng-bind-html="content | highlight:lang | unsafe"></code>
> Seems to affect all versions with the new (angular) UI.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
