[
https://issues.apache.org/jira/browse/SOLR-16476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17620455#comment-17620455
]
Kevin Risden commented on SOLR-16476:
-------------------------------------
[~tflobbe] I think was also digging into this a bit.
This is what I pulled up the other day
{code:java}
git grep -F commons.text
solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java:import
org.apache.commons.text.StringEscapeUtils;
# git grep -nF StringEscapeUtils
solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java:29:import
org.apache.commons.text.StringEscapeUtils;
solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java:81:
StringEscapeUtils.escapeEcmaScript(request.getContextPath()),
solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java:82:
StringEscapeUtils.escapeEcmaScript(CommonParams.CORES_HANDLER_PATH),
solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java:83:
StringEscapeUtils.escapeEcmaScript(pack.getSpecificationVersion())
{code}
and
{code:java}
➜ solr git:(main) ./gradlew why --hash 861680f8
To honour the JVM settings for this build a single-use Daemon process will be
forked. See
https://docs.gradle.org/7.5.1/userguide/gradle_daemon.html#sec:disabling_the_daemon.
Daemon will be stopped at the end of the build
> Task :why
org.apache.commons:commons-text:1.10.0
projects -> 1.10.0
org.apache.commons:commons-configuration2 -> 1.9
{code}
where commons-configuration2 is only used in hadoop-auth.
> Don't need commons-text dependency in solr-core
> -----------------------------------------------
>
> Key: SOLR-16476
> URL: https://issues.apache.org/jira/browse/SOLR-16476
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: David Smiley
> Priority: Minor
> Labels: newdev
>
> I don't think we +really+ need commons-text in solr-core. I see it's for
> only one usage:
> https://github.com/apache/solr/blob/c99af207c761ec34812ef1cc3054eb2804b7448b/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java#L83
> {noformat}
> String[] search = new String[] {"${contextPath}", "${adminPath}",
> "${version}"};
> String[] replace =
> new String[] {
> StringEscapeUtils.escapeEcmaScript(request.getContextPath()),
>
> StringEscapeUtils.escapeEcmaScript(CommonParams.CORES_HANDLER_PATH),
>
> StringEscapeUtils.escapeEcmaScript(pack.getSpecificationVersion())
> };
> {noformat}
> But contextPath & adminPath are no longer in our admin pages. "version" is.
> Regardless, I don't see why we need to escape EcmaScript; these variables
> come from internal/validated sources that will not have user provided data
> that could hack the pages.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
