SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1671580 13f79535-47bb-0310-9956-ffa450edef68
2015-04-06 16:49:47 +00:00 · 2015-04-06 16:49:47 +00:00 · a0c4e5186e
parent e2bc6dc8ec
commit a0c4e5186e
3 changed files with 7 additions and 5 deletions
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@ -503,6 +503,8 @@ Other Changes
 * SOLR-7290: Rename catchall _text field in data_driven_schema_configs
  to _text_ (Steve Rowe) 

+* SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page (Mei Wang via Timothy Potter)
+
 ==================  5.0.0 ==================

 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
--- a/solr/webapp/web/js/scripts/analysis.js
+++ b/solr/webapp/web/js/scripts/analysis.js
@ -80,7 +80,7 @@ sammy.get
              {
                fields.push
                (
-                  '<option value="fieldname=' + field_name + '">' + field_name + '</option>'
+                  '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                );
              }
              if( 0 !== fields.length )
@ -95,7 +95,7 @@ sammy.get
              {
                types.push
                (
-                  '<option value="fieldtype=' + type_name + '">' + type_name + '</option>'
+                  '<option value="fieldtype=' + type_name.esc() + '">' + type_name.esc() + '</option>'
                );
              }
              if( 0 !== types.length )
--- a/solr/webapp/web/js/scripts/schema-browser.js
+++ b/solr/webapp/web/js/scripts/schema-browser.js
@ -596,7 +596,7 @@ sammy.bind
                    {
                      fields.push
                      (
-                        '<option value="?field=' + field_name + '">' + field_name + '</option>'
+                        '<option value="?field=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                      );
                    }
                    if( 0 !== fields.length )
@ -612,7 +612,7 @@ sammy.bind
                    {
                      dynamic_fields.push
                      (
-                        '<option value="?dynamic-field=' + type_name + '">' + type_name + '</option>'
+                        '<option value="?dynamic-field=' + type_name.esc() + '">' + type_name.esc() + '</option>'
                      );
                    }
                    if( 0 !== dynamic_fields.length )
@ -628,7 +628,7 @@ sammy.bind
                    {
                      types.push
                      (
-                        '<option value="?type=' + type_name + '">' + type_name + '</option>'
+                        '<option value="?type=' + type_name.esc() + '">' + type_name.esc() + '</option>'
                      );
                    }
                    if( 0 !== types.length )