[
https://issues.apache.org/jira/browse/SOLR-15678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426998#comment-17426998
]
ASF subversion and git services commented on SOLR-15678:
--------------------------------------------------------
Commit 393f26ad43a55960758834537532e91050908992 in solr's branch
refs/heads/main from Jan Høydahl
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=393f26a ]
SOLR-15678 Allow only known content types in ShowFileRequestHandler (#336)
> Disallow html content-type in ShowFileRequestHandler
> ----------------------------------------------------
>
> Key: SOLR-15678
> URL: https://issues.apache.org/jira/browse/SOLR-15678
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> ShowFileRequestHandler will return a file from a configSet, and is used in
> the Admin UI. It returns the file using its proper content type, so browsers
> will render JSON, XML and plain text correctly. However, for html files
> (although unllikely in a configset) it is better to render as plain-text in a
> browser. Both to avoid XSS and since users would want to see the html code,
> not a rendered page.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
