hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-5968) Proper html escaping for region names
Date Wed, 09 May 2012 02:35:49 GMT
Enis Soztutar created HBASE-5968:
------------------------------------

             Summary: Proper html escaping for region names
                 Key: HBASE-5968
                 URL: https://issues.apache.org/jira/browse/HBASE-5968
             Project: HBase
          Issue Type: Bug
          Components: util
    Affects Versions: 0.96.0
            Reporter: Enis Soztutar
            Assignee: Enis Soztutar


I noticed that we are not doing html escaping for the rs/master web interfaces, so you can
end up generating html like: 
{code}
<tr>
  <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
  
  <td>
    <a href="http://hrt24n06.cc1.ygridcore.net:60030/">hrt24n06.cc1.ygridcore.net:60030</a>
  </td>
  
  <td>,\xEEp/<T\xBE\xC0</td>
  <td>-n\xA8\xE0\x15\xDD\x80!</td>
  <td>2966724</td>
</tr>
{code}

This obviously does not render properly. 

Also, my crazy theory is that it can be a security risk. Since the region name is computed
from table rows, which are most of the time user input. Thus if  the rows contain a "<script
onload=" or similar, then that will be executed on the developer's browser having possibly
access to dev environment. 


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message