[
https://issues.apache.org/jira/browse/SPARK-46893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Willi Raschkowski updated SPARK-46893:
--------------------------------------
Attachment: Screen Recording 2024-01-28 at 17.51.47.mov
> Sanitize UI descriptions from inline scripts
> --------------------------------------------
>
> Key: SPARK-46893
> URL: https://issues.apache.org/jira/browse/SPARK-46893
> Project: Spark
> Issue Type: Bug
> Components: UI, Web UI
> Affects Versions: 3.4.1
> Reporter: Willi Raschkowski
> Priority: Major
> Attachments: Screen Recording 2024-01-28 at 17.51.47.mov
>
>
> Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}}
> handlers) in the UI job and stage descriptions.
> The UI already has precaution to treat, e.g., {{<script>}} tags as
> plain-text. But that doesn't extend to inline scripts.
> {code:title=Bad job descriptions}
> scala> sc.setJobDescription("""<a href="/link"
> onmouseover="alert('oops');">onmouseover</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> scala> sc.setJobDescription("""<a href="/link"
> onclick="alert('oops');">onclick</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
