[
https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781522#action_12781522
]
Bill Au commented on SOLR-1594:
-------------------------------
I just tried it and Jetty does double-escape:
org.apache.lucene.queryParser.ParseException: Cannot parse
'"<script>alert("xss")</script>': Lexical error at
line 1, column 31. Encountered: <EOF> after :
"\")</script>"
So should we leave it up to the appserver to do the right thing or should Solr
be more proactive? To me double-escaping is a lesser evil than being
vulnerable to xss attack.
> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
> Key: SOLR-1594
> URL: https://issues.apache.org/jira/browse/SOLR-1594
> Project: Solr
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: Bill Au
> Assignee: Bill Au
> Fix For: 1.5
>
> Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in
> the response. I will attach a patch shortly.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
