Enis Soztutar created HBASE-5968:
------------------------------------
Summary: Proper html escaping for region names
Key: HBASE-5968
URL: https://issues.apache.org/jira/browse/HBASE-5968
Project: HBase
Issue Type: Bug
Components: util
Affects Versions: 0.96.0
Reporter: Enis Soztutar
Assignee: Enis Soztutar
I noticed that we are not doing html escaping for the rs/master web interfaces,
so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a
href="http://hrt24n06.cc1.ygridcore.net:60030/";>hrt24n06.cc1.ygridcore.net:60030</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name
is computed from table rows, which are most of the time user input. Thus if
the rows contain a "<script onload=" or similar, then that will be executed on
the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
