On Wed, Nov 26, 2014 at 10:47 AM, Lee Carroll <lee.a.carr...@googlemail.com> wrote: > The applications using the data may write solr data to the dom. (I doubt > they do but they could now or in the future. They have an expectation of > trusting the data back from solr). > > As a straight forward attack you are right though. But it is incorrect > behavior? It should not produce bogus fields and values for each record > returned ?
That's actually by design (pseudo-fields). You can also set arbitrary output keys for other stuff like faceting. In general, it's not possible to escape dangerous values for the client since the number of clients is practically unlimited (i.e. we don't know if values will be used in a SQL query, a PHP front-end, or whatever). All we can do is ensure that we correctly encapsulate values and then leave the rest up to the client who knows how they will use the values. -Yonik http://heliosearch.org - native code faceting, facet functions, sub-facets, off-heap data
