[ambari] branch trunk updated: AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)

Mon, 14 Nov 2022 08:37:05 -0800 

This is an automated email from the ASF dual-hosted git repository.

wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 379c98e84f AMBARI-25384: Ambari Files View is Vulnerable to XSS attack 
(#3490)
379c98e84f is described below

commit 379c98e84feac7c53dcff8b739b0dedf4d2345f9
Author: Zhiguo Wu <[email protected]>
AuthorDate: Tue Nov 15 00:36:53 2022 +0800

    AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
---
 .../views/files/src/main/resources/ui/app/components/delete-modal.js    | 2 +-
 .../views/files/src/main/resources/ui/app/services/alert-messages.js    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git 
a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js 
b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
index cb71ba7b92..49f6e9dd25 100644
--- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
+++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
@@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, {
           this.set('hasError', true);
           this.set('currentFailedPath', error.failed);
           this.set('currentServerFailureMessage', error.message);
-          this.set('currentFailureMessage', `Failed to delete 
<strong>${error.failed}</strong>.`);
+          this.set('currentFailureMessage', `Failed to delete 
<strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`);
           this.set('shouldRetry', error.retry);
           this.set('currentUnprocessedPaths', error.unprocessed);
         } else {
diff --git 
a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js 
b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
index ed4cff1aac..001a4676e0 100644
--- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
+++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
@@ -75,6 +75,8 @@ export default Ember.Service.extend({
 
   _processMessage: function(type, message, options, alertOptions) {
     this._clearMessagesIfRequired(alertOptions);
+    //escape html characters in the message
+    message = Ember.Handlebars.Utils.escapeExpression(message);
     let alertRecord = this._createAlert(message, type, options, alertOptions);
     if(alertRecord) {
       this.toggleProperty('alertsChanged');


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to