[jira] [Commented] (AURORA-331) tainted data isn't properly escaped in HTML templates

Sun, 20 Apr 2014 22:35:36 -0700 

    [ 
https://issues.apache.org/jira/browse/AURORA-331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13975416#comment-13975416
 ] 

Suman Karumuri commented on AURORA-331:
---------------------------------------

We have replaced the older string template UI with an AngularJS UI that calls 
to the backend using thrift. So, this should atleast take care of the first 
order injection attacks on the job page you pointed. I will need to double 
check this, but the second order reflective attacks should also be taken care 
of by our angular JS UI.  There are a couple of string template pages still 
there and we need to escape the data in those pages or move them over to 
angularJS.


> tainted data isn't properly escaped in HTML templates
> -----------------------------------------------------
>
>                 Key: AURORA-331
>                 URL: https://issues.apache.org/jira/browse/AURORA-331
>             Project: Aurora
>          Issue Type: Story
>          Components: UI
>            Reporter: Jay Buffington
>
> My health check failed on the slave:
> {noformat}
> $ grep urlopen  __main__.log
> W0418 15:41:40.155653 15563 health_checker.py:78] Health check failure: 
> Failed to signal http://localhost:31135/health: <urlopen error timed out>
> I0418 15:41:40.655600 15563 status_checker.py:116] HealthCheckerThread 
> reported StatusResult('Failed health check! Failed to signal 
> http://localhost:31135/health: <urlopen error timed out>', status='FAILED')
> {noformat}
> When I looked at the web interface I just saw "FAILED : Failed health check! 
> Failed to signal http://localhost:31135/health:";    I viewed the generated 
> HTML source and saw:
> {noformat}
> - <span class='task-status' status='FAILED'>FAILED</span>
>                                           : Failed health check! Failed to 
> signal http://localhost:31135/health: <urlopen error timed out>
> {noformat}
> Looking at line 185 of 
> "src/main/resources/org/apache/aurora/scheduler/http/schedulerzjob.st"  of 
> git commit gf85e7de I see
> {noformat}
> - <span class='task-status' status='$event.status$'>$event.status$</span>
> {noformat}
> I suspect that this is one example of many places where data needs to be 
> properly escaped before being displayed to the user.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to