From fd33cfdc03df1e8c67deb73a721e62f8563f97a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= <janhoy@apache.org>
Date: Thu, 20 Aug 2015 12:54:07 +0000
Subject: [PATCH] SOLR-7949: Resolve XSS issue in Admin UI stats page

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1696782 13f79535-47bb-0310-9956-ffa450edef68
---
 solr/CHANGES.txt                      | 2 ++
 solr/webapp/web/js/scripts/plugins.js | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 6135be6be1b..7d5babca0a7 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -144,6 +144,8 @@ Bug Fixes
 
 * SOLR-7941: multivalued params are concatenated when using config API (noble)
 
+* SOLR-7949: Resolve XSS issue in Admin UI stats page (David Chiu via janhoy)
+
 Optimizations
 ----------------------
 
diff --git a/solr/webapp/web/js/scripts/plugins.js b/solr/webapp/web/js/scripts/plugins.js
index 2b60ce05656..f68682f0623 100644
--- a/solr/webapp/web/js/scripts/plugins.js
+++ b/solr/webapp/web/js/scripts/plugins.js
@@ -282,7 +282,7 @@ var render_plugin_data = function( plugin_data, plugin_sort, types )
   var entry_count = entries.length;
   for( var i = 0; i < entry_count; i++ )
   {
-    $( 'a[data-bean="' + entries[i] + '"]', frame_element )
+    $( 'a[data-bean="' + entries[i].esc() + '"]', frame_element )
       .parent().addClass( 'expanded' );
   }