[
https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Enis Soztutar updated HBASE-5968:
---------------------------------
Description:
I noticed that we are not doing html escaping for the rs/master web interfaces,
so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a href="hostname">hostname</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name
is computed from table rows, which are most of the time user input. Thus if
the rows contain a "<script onload=" or similar, then that will be executed on
the developer's browser having possibly access to dev environment.
was:
I noticed that we are not doing html escaping for the rs/master web interfaces,
so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a
href="http://hrt24n06.cc1.ygridcore.net:60030/";>hrt24n06.cc1.ygridcore.net:60030</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name
is computed from table rows, which are most of the time user input. Thus if
the rows contain a "<script onload=" or similar, then that will be executed on
the developer's browser having possibly access to dev environment.
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web
> interfaces, so you can end up generating html like:
> {code}
> <tr>
>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region
> name is computed from table rows, which are most of the time user input. Thus
> if the rows contain a "<script onload=" or similar, then that will be
> executed on the developer's browser having possibly access to dev
> environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
