hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-1993) Cross-site scripting vulnerability in TextView.java
Date Mon, 28 Apr 2014 17:08:20 GMT
Ted Yu created YARN-1993:
----------------------------

             Summary: Cross-site scripting vulnerability in TextView.java
                 Key: YARN-1993
                 URL: https://issues.apache.org/jira/browse/YARN-1993
             Project: Hadoop YARN
          Issue Type: Bug
            Reporter: Ted Yu


In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
, method echo() e.g. :
{code}
    for (Object s : args) {
      out.print(s);
    }
{code}
Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized
for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message