[ https://issues.apache.org/jira/browse/SPARK-46893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Willi Raschkowski updated SPARK-46893: -------------------------------------- Attachment: Screen Recording 2024-01-28 at 17.51.47.mov > Sanitize UI descriptions from inline scripts > -------------------------------------------- > > Key: SPARK-46893 > URL: https://issues.apache.org/jira/browse/SPARK-46893 > Project: Spark > Issue Type: Bug > Components: UI, Web UI > Affects Versions: 3.4.1 > Reporter: Willi Raschkowski > Priority: Major > Attachments: Screen Recording 2024-01-28 at 17.51.47.mov > > > Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}} > handlers) in the UI job and stage descriptions. > The UI already has precaution to treat, e.g., {{<script>}} tags as > plain-text. But that doesn't extend to inline scripts. > {code:title=Bad job descriptions} > scala> sc.setJobDescription("""<a href="/link" > onmouseover="alert('oops');">onmouseover</a>""") > scala> spark.sql("SELECT 1").show() > ... > scala> sc.setJobDescription("""<a href="/link" > onclick="alert('oops');">onclick</a>""") > scala> spark.sql("SELECT 1").show() > ... > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org