Jay Buffington created AURORA-331:
-------------------------------------
Summary: tainted data isn't properly escaped in HTML templates
Key: AURORA-331
URL: https://issues.apache.org/jira/browse/AURORA-331
Project: Aurora
Issue Type: Story
Components: UI
Reporter: Jay Buffington
My health check failed on the slave:
{noformat}
$ grep urlopen __main__.log
W0418 15:41:40.155653 15563 health_checker.py:78] Health check failure: Failed
to signal http://localhost:31135/health: <urlopen error timed out>
I0418 15:41:40.655600 15563 status_checker.py:116] HealthCheckerThread reported
StatusResult('Failed health check! Failed to signal
http://localhost:31135/health: <urlopen error timed out>', status='FAILED')
{noformat}
When I looked at the web interface I just saw "FAILED : Failed health check!
Failed to signal http://localhost:31135/health:"; I viewed the generated HTML
source and saw:
{noformat}
- <span class='task-status' status='FAILED'>FAILED</span>
: Failed health check! Failed to
signal http://localhost:31135/health: <urlopen error timed out>
{noformat}
Looking at line 185 of
"src/main/resources/org/apache/aurora/scheduler/http/schedulerzjob.st" of git
commit gf85e7de I see
{noformat}
- <span class='task-status' status='$event.status$'>$event.status$</span>
{noformat}
I suspect that this is one example of many places where data needs to be
properly escaped before being displayed to the user.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
