You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Nick Dimiduk (JIRA)" <ji...@apache.org> on 2012/12/01 01:49:58 UTC

[jira] [Commented] (HBASE-1299) JSPs don't HTML escape literals (ie: table names, region names, start & end keys)

    [ https://issues.apache.org/jira/browse/HBASE-1299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507799#comment-13507799 ] 

Nick Dimiduk commented on HBASE-1299:
-------------------------------------

steps to repro:

> create 't1', {NAME => 'f1'}
> put 't1', "<script>alert('hello world');</script>", 'f1:foo', 0
> split 't1', "<script>alert('hello world');</script>"

open http://localhost:60010/table.jsp?name=t1

alerts will pop.

                
> JSPs don't HTML escape literals (ie: table names, region names, start & end keys)
> ---------------------------------------------------------------------------------
>
>                 Key: HBASE-1299
>                 URL: https://issues.apache.org/jira/browse/HBASE-1299
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 0.19.0, 0.19.1
>            Reporter: Hoss Man
>         Attachments: 1299.patch
>
>
> similar to HBASE-1298, the various JSPs included with HBase for monitoring the system don't seem to do any HTML escaping when displaying user entered data which may contain special characters: table names, region names, start Keys, or end Keys

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira