Enis Soztutar created HBASE-5968: ------------------------------------ Summary: Proper html escaping for region names Key: HBASE-5968 URL: https://issues.apache.org/jira/browse/HBASE-5968 Project: HBase Issue Type: Bug Components: util Affects Versions: 0.96.0 Reporter: Enis Soztutar Assignee: Enis Soztutar
I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like: {code} <tr> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td> <td> <a href="http://hrt24n06.cc1.ygridcore.net:60030/">hrt24n06.cc1.ygridcore.net:60030</a> </td> <td>,\xEEp/<T\xBE\xC0</td> <td>-n\xA8\xE0\x15\xDD\x80!</td> <td>2966724</td> </tr> {code} This obviously does not render properly. Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira