Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Not A Problem
-
3.5
-
None
-
None
Description
There's no filtering of the wrapper function name passed to the solr search service
If the name of the wrapper function passed to the solr query service is the following string -
%3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E
solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call