This is an automated email from the ASF dual-hosted git repository.

asnaik pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new 4708077  AMBARI-25384 Ambari Files View is Vulnerable to XSS attack 
(asnaik) (#3088)
4708077 is described below

commit 47080774506b7011b02e4d6f7afba16c87f212b6
Author: Asnaik HWX <asn...@hortonworks.com>
AuthorDate: Tue Oct 1 14:57:48 2019 +0530

    AMBARI-25384 Ambari Files View is Vulnerable to XSS attack (asnaik) (#3088)
---
 .../views/files/src/main/resources/ui/app/components/delete-modal.js    | 2 +-
 .../views/files/src/main/resources/ui/app/services/alert-messages.js    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git 
a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js 
b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
index cb71ba7..49f6e9d 100644
--- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
+++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
@@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, {
           this.set('hasError', true);
           this.set('currentFailedPath', error.failed);
           this.set('currentServerFailureMessage', error.message);
-          this.set('currentFailureMessage', `Failed to delete 
<strong>${error.failed}</strong>.`);
+          this.set('currentFailureMessage', `Failed to delete 
<strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`);
           this.set('shouldRetry', error.retry);
           this.set('currentUnprocessedPaths', error.unprocessed);
         } else {
diff --git 
a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js 
b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
index ed4cff1..001a467 100644
--- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
+++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
@@ -75,6 +75,8 @@ export default Ember.Service.extend({
 
   _processMessage: function(type, message, options, alertOptions) {
     this._clearMessagesIfRequired(alertOptions);
+    //escape html characters in the message
+    message = Ember.Handlebars.Utils.escapeExpression(message);
     let alertRecord = this._createAlert(message, type, options, alertOptions);
     if(alertRecord) {
       this.toggleProperty('alertsChanged');

Reply via email to