GitHub user ambauma opened a pull request: https://github.com/apache/spark/pull/19538
[SPARK-20393][WEBU UI][2.0] Strengthen Spark to prevent XSS vulnerabilities ## What changes were proposed in this pull request? This is the fix for the master branch applied to the 2.0 branch. My (unnamed) company will be using Spark 1.6 probably for another year. We have been blocked from having Spark 1.6 on our workstations until CVE-2017-7678 is patched, which SPARK-20393 does. I was told I need to patch branch 2.0 before branch 1.6 could be patched. ## How was this patch tested? The patch came with unit tests. The test build passed. Manual testing on one of the effected screens showed the newline character removed. Screen display was the same regardless (html ignores newline characters). ![screenshot from 2017-10-19 12-54-01](https://user-images.githubusercontent.com/12421739/31786133-09ab7ea2-b4cd-11e7-88db-68c09e5b955b.png) You can merge this pull request into a Git repository by running: $ git pull https://github.com/ambauma/spark branch-2.0 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/spark/pull/19538.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #19538 ---- commit 94918ea5e46ec1a1e8f12677bce51634efee6e35 Author: NICHOLAS T. MARION <nmar...@us.ibm.com> Date: 2017-05-10T09:59:57Z [SPARK-20393][WEBU UI] Strengthen Spark to prevent XSS vulnerabilities Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these functions at any point that getParameter is called against a HttpServletRequest. Unit tests, IBM Security AppScan Standard no longer showing vulnerabilities, manual verification of WebUI pages. Author: NICHOLAS T. MARION <nmar...@us.ibm.com> Closes #17686 from n-marion/xss-fix. commit 3e01302e8870c3193232463b03a734a0980be554 Author: ambauma <andrew.m.baum...@gmail.com> Date: 2017-10-19T00:54:58Z Changes based on code review. ---- --- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org