[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506165#comment-13506165 ]
Elliott Clark commented on HBASE-5968: -------------------------------------- Yep this is a pretty big security hole. > Proper html escaping for region names > ------------------------------------- > > Key: HBASE-5968 > URL: https://issues.apache.org/jira/browse/HBASE-5968 > Project: HBase > Issue Type: Bug > Components: util > Affects Versions: 0.96.0 > Reporter: Enis Soztutar > Assignee: Enis Soztutar > > I noticed that we are not doing html escaping for the rs/master web > interfaces, so you can end up generating html like: > {code} > <tr> > > <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td> > > <td> > <a href="hostname">hostname</a> > </td> > > <td>,\xEEp/<T\xBE\xC0</td> > <td>-n\xA8\xE0\x15\xDD\x80!</td> > <td>2966724</td> > </tr> > {code} > This obviously does not render properly. > Also, my crazy theory is that it can be a security risk. Since the region > name is computed from table rows, which are most of the time user input. Thus > if the rows contain a "<script onload=" or similar, then that will be > executed on the developer's browser having possibly access to dev > environment. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira