[
https://issues.apache.org/jira/browse/HBASE-3546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13459586#comment-13459586
]
liang xie commented on HBASE-3546:
----------------------------------
I tried to repro on 0.94 but failed, seems jamon(RegionListTmpl.jamon) did the
HTML escape. I saw the "<script>alert('js')</script>" text in Start/End Key
columns from WebUI, w/o JS code running.
On 0.90, there's no escape in regionserver.jsp, this issue only exists on
0.90(or before), seems didn't worth to fix it?
Please correct me if i am wrong:)
> XSS in the WebUI
> ----------------
>
> Key: HBASE-3546
> URL: https://issues.apache.org/jira/browse/HBASE-3546
> Project: HBase
> Issue Type: Bug
> Reporter: Takuya Ueshin
> Priority: Minor
>
> There are possibilities of XSS in the WebUI.
> If ColumnFamily or Region splitting keys are like
> Bytes.toBytes("<script>alert('js')</script>")
> then browsers run the JavaScript code.
> I tested on HBase-0.90.0 .
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
