You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Stephan Ewen (JIRA)" <ji...@apache.org> on 2015/10/21 19:09:27 UTC

[jira] [Closed] (FLINK-2789) Vulnerability to XSS attack due to printing HTML output

     [ https://issues.apache.org/jira/browse/FLINK-2789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephan Ewen closed FLINK-2789.
-------------------------------

> Vulnerability to XSS attack due to printing HTML output
> -------------------------------------------------------
>
>                 Key: FLINK-2789
>                 URL: https://issues.apache.org/jira/browse/FLINK-2789
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Priority: Minor
>             Fix For: 0.10
>
>
> In flink-clients/src/main/java/org/apache/flink/client/web/PlanDisplayServlet.java :
> {code}
> 113                     writer.println("        // register the event handler for the 'run' button and activate zoom Buttons\n"
> 114                                             + " activateZoomButtons();"
> 115                                             + "        $('#run_button').click(function () {\n" + "          $('#run_button').remove();\n"
> 116                                             + "          $.ajax( {" + " url: '/runJob'," + " data: { action: 'runsubmitted', id: '" + uid + "' },"
> 117                                             + " success: function () { alert('Job succesfully submitted');"
> 118                                             + (this.runtimeVisURL != null ? (" window.location = \"" + this.runtimeVisURL + "\"; },") : " },")
> {code}
> Printing HTML output induces XSS vulnerability



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)