[jira] [Updated] (YARN-1993) Cross-site scripting vulnerability in TextView.java
[ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Tsuyoshi Ozawa updated YARN-1993: - Assignee: Kenji Kikushima Cross-site scripting vulnerability in TextView.java --- Key: YARN-1993 URL: https://issues.apache.org/jira/browse/YARN-1993 Project: Hadoop YARN Issue Type: Bug Components: webapp Reporter: Ted Yu Assignee: Kenji Kikushima Attachments: YARN-1993.patch In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. : {code} for (Object s : args) { out.print(s); } {code} Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (YARN-1993) Cross-site scripting vulnerability in TextView.java
[ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kenji Kikushima updated YARN-1993: -- Attachment: YARN-1993.patch For example, how about to use StringEscapeUtils like this patch? Cross-site scripting vulnerability in TextView.java --- Key: YARN-1993 URL: https://issues.apache.org/jira/browse/YARN-1993 Project: Hadoop YARN Issue Type: Bug Components: webapp Reporter: Ted Yu Attachments: YARN-1993.patch In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. : {code} for (Object s : args) { out.print(s); } {code} Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (YARN-1993) Cross-site scripting vulnerability in TextView.java
[ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated YARN-1993: - Component/s: webapp Cross-site scripting vulnerability in TextView.java --- Key: YARN-1993 URL: https://issues.apache.org/jira/browse/YARN-1993 Project: Hadoop YARN Issue Type: Bug Components: webapp Reporter: Ted Yu In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. : {code} for (Object s : args) { out.print(s); } {code} Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name. -- This message was sent by Atlassian JIRA (v6.2#6252)