hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mit Desai (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-1932) Javascript injection on the job status page
Date Fri, 11 Apr 2014 15:18:15 GMT
Mit Desai created YARN-1932:
-------------------------------

             Summary: Javascript injection on the job status page
                 Key: YARN-1932
                 URL: https://issues.apache.org/jira/browse/YARN-1932
             Project: Hadoop YARN
          Issue Type: Bug
    Affects Versions: 0.23.9, 3.0.0, 2.5.0
            Reporter: Mit Desai
            Assignee: Mit Desai
            Priority: Critical


Scripts can be injected into the job status page as the diagnostics field is
not sanitized. Whatever string you set there will show up to the jobs page as it is ... ie.
if you put any script commands, they will be executed in the browser of the user who is opening
the page.

We need escaping the diagnostic string in order to not run the scripts.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message