[
https://issues.apache.org/jira/browse/AIRFLOW-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16791870#comment-16791870
]
ASF GitHub Bot commented on AIRFLOW-3768:
-----------------------------------------
ashb commented on pull request #4911: [AIRFLOW-3768] Escape search parameter in
pagination controls
URL: https://github.com/apache/airflow/pull/4911
Make sure you have checked _all_ steps below.
### Jira
https://issues.apache.org/jira/browse/AIRFLOW-3768
### Description
The `?search=` query parameter was incorrectly escaped in the pagination
controls
The "minidom" we were using from lxml didn't cope with the `>` etc
entities (because it is an XML parser, not an HTML parser): rather than
special casing each one I have instead swapped out lxml-based parser for
BeautifulSoup which 1) handles these, and 2) is pure-python so is easier
to install :)
### Tests
- [ ] My PR adds the following unit tests __OR__ does not need testing for
this extremely good reason:
### Commits
- [ ] My commits all reference Jira issues in their subject lines, and I
have squashed multiple commits if they address the same issue. In addition, my
commits follow the guidelines from "[How to write a good git commit
message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [ ] In case of new functionality, my PR adds documentation that describes
how to use it.
- When adding new operators/hooks/sensors, the autoclass documentation
generation needs to be added.
- All the public functions and the classes in the PR contain docstrings
that explain what it does
- If you implement backwards incompatible changes, please leave a note in
the [Updating.md](https://github.com/apache/airflow/blob/master/UPDATING.md) so
we can assign it to a appropriate release
### Code Quality
- [ ] Passes `flake8`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> XSS Vulnerability in Search Query Parameter
> -------------------------------------------
>
> Key: AIRFLOW-3768
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3768
> Project: Apache Airflow
> Issue Type: Bug
> Components: security
> Affects Versions: 1.10.1
> Reporter: Media Rest
> Assignee: Ash Berlin-Taylor
> Priority: Critical
>
> In the DAGs page, there is a XSS issue in the search parameter. The input is
> reflected from the search parameter back to the user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
