[ https://issues.apache.org/jira/browse/HBASE-3546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13459586#comment-13459586 ]
liang xie commented on HBASE-3546: ---------------------------------- I tried to repro on 0.94 but failed, seems jamon(RegionListTmpl.jamon) did the HTML escape. I saw the "<script>alert('js')</script>" text in Start/End Key columns from WebUI, w/o JS code running. On 0.90, there's no escape in regionserver.jsp, this issue only exists on 0.90(or before), seems didn't worth to fix it? Please correct me if i am wrong:) > XSS in the WebUI > ---------------- > > Key: HBASE-3546 > URL: https://issues.apache.org/jira/browse/HBASE-3546 > Project: HBase > Issue Type: Bug > Reporter: Takuya Ueshin > Priority: Minor > > There are possibilities of XSS in the WebUI. > If ColumnFamily or Region splitting keys are like > Bytes.toBytes("<script>alert('js')</script>") > then browsers run the JavaScript code. > I tested on HBase-0.90.0 . -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira