SOLR-74 - user input wasn't being HTML escaped when echoed back on the page

git-svn-id: https://svn.apache.org/repos/asf/incubator/solr/trunk@487773 13f79535-47bb-0310-9956-ffa450edef68
2006-12-16 08:38:09 +00:00 · 2006-12-16 08:38:09 +00:00 · 6c995edfc2
parent c45fc39d2d
commit 6c995edfc2
3 changed files with 8 additions and 6 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -197,6 +197,8 @@ Bug Fixes
 11. Better parsing of pingQuery from solrconfig.xml (hossman, SOLR-70)
 12. Fixed bug with "Distribution" page introduced when Versions were
    added to "Info" page (hossman)
+13. Fixed HTML escaping issues with user input to analysis.jsp and action.jsp
+    (hossman, SOLR-74)

 Other Changes
 1. Upgrade to Lucene 2.0 nightly build 2006-06-22, lucene SVN revision 416224,
--- a/src/webapp/resources/admin/action.jsp
+++ b/src/webapp/resources/admin/action.jsp
@ -15,7 +15,7 @@
 See the License for the specific language governing permissions and
 limitations under the License.
 --%>
-
+<%@ page import="org.apache.solr.util.XML"%>
 <%@ page import="org.apache.solr.core.SolrCore,
                 org.apache.solr.schema.IndexSchema,
                 java.io.File,
@ -98,7 +98,7 @@
      <H3>Action:</H3>
    </td>
    <td>
-      <%= action %><br>
+      <% XML.escapeCharData(action, out); %><br>
    </td>
  </tr>
  <tr>
@ -106,7 +106,7 @@
      <H4>Result:</H4>
    </td>
    <td>
-      <%= enableActionStatus %><br>
+      <% XML.escapeCharData(enableActionStatus, out); %><br>
    </td>
  </tr>
 </table>
--- a/src/webapp/resources/admin/analysis.jsp
+++ b/src/webapp/resources/admin/analysis.jsp
@ -62,7 +62,7 @@
 	<strong>Field name</strong>
  </td>
  <td>
-	<input class="std" name="name" type="text" value="<%= name %>">
+	<input class="std" name="name" type="text" value="<% XML.escapeCharData(name, out); %>">
  </td>
 </tr>
 <tr>
@ -78,7 +78,7 @@
     <%= highlight ? "checked=\"true\"" : "" %> >
  </td>
  <td>
-	<textarea class="std" rows="3" cols="70" name="val"><%= val %></textarea>
+	<textarea class="std" rows="3" cols="70" name="val"><% XML.escapeCharData(val,out); %></textarea>
  </td>
 </tr>
 <tr>
@ -90,7 +90,7 @@
     <%= qverbose ? "checked=\"true\"" : "" %> >
  </td>
  <td>
-	<textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
+	<textarea class="std" rows="1" cols="70" name="qval"><% XML.escapeCharData(qval,out); %></textarea>
  </td>
 </tr>
 <tr>