[
https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13082680#comment-13082680
]
Luke Lu commented on HADOOP-7527:
---------------------------------
bq. Mechanisms that cause the dev's code to fail in a safe way are far
preferable to ones that fail with a XSS that lays unfixed for years.
I agree that this is a reasonable stop gap solution until we moved to more
secure web UI framework (cf. HADOOP-7532) ;)
> Make URL encoding consistent
> ----------------------------
>
> Key: HADOOP-7527
> URL: https://issues.apache.org/jira/browse/HADOOP-7527
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 0.23.0
> Reporter: Eli Collins
>
> URL encoding is currently handled in at least 5 different ways. We should
> make these consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet
> and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places
> # encodePath from Jetty's URIUtil
> We should also be consistent about how we pass file names in URLs, some times
> they're passed in the path segment, sometimes they're passed in the query
> fragment as parameters.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
