You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-commits@hadoop.apache.org by jl...@apache.org on 2014/04/18 23:53:45 UTC
svn commit: r1588577 - in
/hadoop/common/branches/branch-0.23/hadoop-yarn-project: ./
hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/
hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/
Author: jlowe
Date: Fri Apr 18 21:53:45 2014
New Revision: 1588577
URL: http://svn.apache.org/r1588577
Log:
svn merge -c 1588572 FIXES: YARN-1932. Javascript injection on the job status page. Contributed by Mit Desai
Modified:
hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt
hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java
hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java
Modified: hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt?rev=1588577&r1=1588576&r2=1588577&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt Fri Apr 18 21:53:45 2014
@@ -33,6 +33,9 @@ Release 0.23.11 - UNRELEASED
YARN-1670. aggregated log writer can write more log data then it says is
the log length (Mit Desai via jeagles)
+ YARN-1932. Javascript injection on the job status page (Mit Desai via
+ jlowe)
+
Release 0.23.10 - 2013-12-09
INCOMPATIBLE CHANGES
Modified: hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java?rev=1588577&r1=1588576&r2=1588577&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java (original)
+++ hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java Fri Apr 18 21:53:45 2014
@@ -57,11 +57,11 @@ public class InfoBlock extends HtmlBlock
DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv;
for ( String line :lines) {
singleLineDiv = td.div();
- singleLineDiv._r(line);
+ singleLineDiv._(line);
singleLineDiv._();
}
} else {
- td._r(value);
+ td._(value);
}
td._();
} else {
Modified: hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java?rev=1588577&r1=1588576&r2=1588577&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java (original)
+++ hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java Fri Apr 18 21:53:45 2014
@@ -21,6 +21,7 @@ package org.apache.hadoop.yarn.webapp.vi
import java.io.PrintWriter;
import java.io.StringWriter;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.apache.hadoop.yarn.webapp.ResponseInfo;
@@ -34,6 +35,33 @@ public class TestInfoBlock {
public static PrintWriter pw;
+ static final String JAVASCRIPT = "<script>alert('text')</script>";
+ static final String JAVASCRIPT_ESCAPED =
+ "<script>alert('text')</script>";
+
+ public static class JavaScriptInfoBlock extends InfoBlock{
+
+ static ResponseInfo resInfo;
+
+ static {
+ resInfo = new ResponseInfo();
+ resInfo._("User_Name", JAVASCRIPT);
+ }
+
+ @Override
+ public PrintWriter writer() {
+ return TestInfoBlock.pw;
+ }
+
+ JavaScriptInfoBlock(ResponseInfo info) {
+ super(resInfo);
+ }
+
+ public JavaScriptInfoBlock() {
+ super(resInfo);
+ }
+ }
+
public static class MultilineInfoBlock extends InfoBlock{
static ResponseInfo resInfo;
@@ -78,4 +106,13 @@ public class TestInfoBlock {
+ " This is second line.\n </div>\n";
assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData));
}
+
+ @Test(timeout=60000L)
+ public void testJavaScriptInfoBlock() throws Exception{
+ WebAppTests.testBlock(JavaScriptInfoBlock.class);
+ TestInfoBlock.pw.flush();
+ String output = TestInfoBlock.sw.toString();
+ assertFalse(output.contains("<script>"));
+ assertTrue(output.contains(JAVASCRIPT_ESCAPED));
+ }
}
\ No newline at end of file