You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Nick Dimiduk (JIRA)" <ji...@apache.org> on 2012/12/01 01:49:58 UTC
[jira] [Commented] (HBASE-1299) JSPs don't HTML escape literals
(ie: table names, region names, start & end keys)
[ https://issues.apache.org/jira/browse/HBASE-1299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507799#comment-13507799 ]
Nick Dimiduk commented on HBASE-1299:
-------------------------------------
steps to repro:
> create 't1', {NAME => 'f1'}
> put 't1', "<script>alert('hello world');</script>", 'f1:foo', 0
> split 't1', "<script>alert('hello world');</script>"
open http://localhost:60010/table.jsp?name=t1
alerts will pop.
> JSPs don't HTML escape literals (ie: table names, region names, start & end keys)
> ---------------------------------------------------------------------------------
>
> Key: HBASE-1299
> URL: https://issues.apache.org/jira/browse/HBASE-1299
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.19.0, 0.19.1
> Reporter: Hoss Man
> Attachments: 1299.patch
>
>
> similar to HBASE-1298, the various JSPs included with HBase for monitoring the system don't seem to do any HTML escaping when displaying user entered data which may contain special characters: table names, region names, start Keys, or end Keys
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira