dnaber 2004/10/18 15:30:15
Modified: . CHANGES.txt
Log:
document the HTML escape fix for the JSP example
Revision Changes Path
1.119 +7 -1 jakarta-lucene/CHANGES.txt
Index: CHANGES.txt
===================================================================
RCS file: /home/cvs/jakarta-lucene/CHANGES.txt,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- CHANGES.txt 8 Oct 2004 15:58:49 -0000 1.118
+++ CHANGES.txt 18 Oct 2004 22:30:15 -0000 1.119
@@ -102,6 +102,12 @@
low-frequency terms, where the cost of dictionary lookup can be
significant. (cutting)
+23. The JSP demo page (src/jsp/results.jsp) now properly escapes error
+ messages which might contain user input (e.g. error messages about
+ query parsing). If you used that page as a starting point for your
+ own code please make sure your code also properly escapes HTML
+ characters from user input in order to avoid so-called cross site
+ scripting attacks. (Daniel Naber)
1.4.1
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
