[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Enis Soztutar updated HBASE-5968: --------------------------------- Description: I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like: {code} <tr> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td> <td> <a href="hostname">hostname</a> </td> <td>,\xEEp/<T\xBE\xC0</td> <td>-n\xA8\xE0\x15\xDD\x80!</td> <td>2966724</td> </tr> {code} This obviously does not render properly. Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment. was: I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like: {code} <tr> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td> <td> <a href="http://hrt24n06.cc1.ygridcore.net:60030/">hrt24n06.cc1.ygridcore.net:60030</a> </td> <td>,\xEEp/<T\xBE\xC0</td> <td>-n\xA8\xE0\x15\xDD\x80!</td> <td>2966724</td> </tr> {code} This obviously does not render properly. Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment. > Proper html escaping for region names > ------------------------------------- > > Key: HBASE-5968 > URL: https://issues.apache.org/jira/browse/HBASE-5968 > Project: HBase > Issue Type: Bug > Components: util > Affects Versions: 0.96.0 > Reporter: Enis Soztutar > Assignee: Enis Soztutar > > I noticed that we are not doing html escaping for the rs/master web > interfaces, so you can end up generating html like: > {code} > <tr> > > <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td> > > <td> > <a href="hostname">hostname</a> > </td> > > <td>,\xEEp/<T\xBE\xC0</td> > <td>-n\xA8\xE0\x15\xDD\x80!</td> > <td>2966724</td> > </tr> > {code} > This obviously does not render properly. > Also, my crazy theory is that it can be a security risk. Since the region > name is computed from table rows, which are most of the time user input. Thus > if the rows contain a "<script onload=" or similar, then that will be > executed on the developer's browser having possibly access to dev > environment. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira