[jira] [Updated] (YARN-1932) Javascript injection on the job status page

Allen Wittenauer (JIRA) Wed, 03 Sep 2014 16:45:07 -0700

     [ 
https://issues.apache.org/jira/browse/YARN-1932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Allen Wittenauer updated YARN-1932:
-----------------------------------
    Fix Version/s:     (was: 3.0.0)

> Javascript injection on the job status page
> -------------------------------------------
>
>                 Key: YARN-1932
>                 URL: https://issues.apache.org/jira/browse/YARN-1932
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 3.0.0, 0.23.9, 2.5.0
>            Reporter: Mit Desai
>            Assignee: Mit Desai
>            Priority: Blocker
>             Fix For: 0.23.11, 2.4.1
>
>         Attachments: YARN-1932.patch, YARN-1932.patch
>
>
> Scripts can be injected into the job status page as the diagnostics field is
> not sanitized. Whatever string you set there will show up to the jobs page as 
> it is ... ie. if you put any script commands, they will be executed in the 
> browser of the user who is opening the page.
> We need escaping the diagnostic string in order to not run the scripts.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (YARN-1932) Javascript injection on the job status page

Reply via email to