List,
Bear with me as I recount my learning process. My questions follow:
I have deployed the demo successfully, with some edits for results display and the
like (really superficial in nature overall). One thing I did do was display the query
back to the user in the result page. In doing so, I introduced a possibly security
hole. This stems from something I noticed about the demo: it has no real input
validation to speak of. Hey, it's a demo, I'm not pointing fingers. Input validation
is the implementors responsibility, and I have accepted that responsibility.
My problem can be seen in the following examples. I entered a simple query:
<script>alert("test")</script>
The results returned alright... after displaying a javascript alert. This of course
could be a bridge for more sophisticated cross-site scripting attacks. The following
query *DID NOT WORK*:
<script>alert(document.cookie)</script>
Typing the same thing in the location bar using the javascript pseudo protocol *DOES
WORK*:
javascript:alert(document.cookie)
Why the former cookie alert worked and the latter did not is possibly a built in
security feature of Tomcat, I'm not sure (feedback sought here).
My first pass at solving the problem was to filter the query for display using the
static Entities.encode() method provided with the demo. This seems to have fixed the
alert in the results page, the query is properly displayed as clear text, like a PRE
element might display it.
1. If anyone can provide some feedback on this solution I would appreciate it.
Examples of other modifications to the demo to beef up input validation are sought
too. (I have considered writing a character replacement method for the queries, but I
think this could impact performance.)
Another question, somewhat unrelated, is given a query:
<script>alert("test")</script>
Results are returned matching the quoted portion, in this example "test".
2. Can someone more familiar with the Lucene engine elaborate on why this works?
Thanks!
Tim
--
To unsubscribe, e-mail: <mailto:lucene-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:lucene-user-help@;jakarta.apache.org>
