[
https://issues.apache.org/jira/browse/HADOOP-6151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen O'Malley updated HADOOP-6151:
----------------------------------
Release Note: The input parameters for all of the servlets will have the 5
html meta characters quoted. The characters are '&', '<', '>', '"' and the
apostrophe. The goal is to ensure that our web ui servlets can't be used for
cross site scripting (XSS) attacks. In particular, it blocks the frequent
(especially for errors) case where the servlet echos back the parameters to the
user.
> The servlets should quote html characters
> -----------------------------------------
>
> Key: HADOOP-6151
> URL: https://issues.apache.org/jira/browse/HADOOP-6151
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Priority: Critical
> Fix For: 0.21.0
>
> Attachments: h6151.20.patch, h6151.patch, h6151.patch, h6151.patch,
> h6151.patch
>
>
> We need to quote html characters that come from user generated data.
> Otherwise, all of the web ui's have cross site scripting attack, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
