cancel
Showing results for 
Search instead for 
Did you mean: 

XSS vs Solr, Security vs Usability

0 Kudos
128

Dear experts, et. al.,

We had a company doing a security audit for us and we realized that we are vulnerable to some subtle forms of XSS, such as:

 " onfocus="alert(document.cookie)
 searchterms=test%22%20onmouseover=%22alertt()%22%3E%3Ca=%22
 searchterms=test"%3E%3Cimg src=x onerror="alert()" a="

We rely on the XSSFilter but that approach implies having a blacklist and blacklists get old very quickly. We know the suggested approach is to use a WAF like Akamai but we still feel that we need to offer security at all levels, having said that. Here is what we are doing:

First of all with still rely on the XSSFilter but we also do context aware HTML encoding for reflected input using:

 org.springframework.web.util.HtmlUtils.htmlEscape()

This approach takes care of escaping double quotes, single quotes, and some other characters that might be problematic. The problem that we have now is, Solr. After making this change we cannot find products whose description has special characters, such as ü.

The question here is, is it possible to configure Solr in a way that it works with html-escaped text?

Kind regards,

L.

0 Kudos

Please provide your thought over here.

Accepted Solutions (0)

Answers (0)