You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by wu...@apache.org on 2022/11/14 16:36:59 UTC

[ambari] branch trunk updated: AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)

This is an automated email from the ASF dual-hosted git repository.

wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 379c98e84f AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
379c98e84f is described below

commit 379c98e84feac7c53dcff8b739b0dedf4d2345f9
Author: Zhiguo Wu <wu...@apache.org>
AuthorDate: Tue Nov 15 00:36:53 2022 +0800

    AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
---
 .../views/files/src/main/resources/ui/app/components/delete-modal.js    | 2 +-
 .../views/files/src/main/resources/ui/app/services/alert-messages.js    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
index cb71ba7b92..49f6e9dd25 100644
--- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
+++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
@@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, {
           this.set('hasError', true);
           this.set('currentFailedPath', error.failed);
           this.set('currentServerFailureMessage', error.message);
-          this.set('currentFailureMessage', `Failed to delete <strong>${error.failed}</strong>.`);
+          this.set('currentFailureMessage', `Failed to delete <strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`);
           this.set('shouldRetry', error.retry);
           this.set('currentUnprocessedPaths', error.unprocessed);
         } else {
diff --git a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
index ed4cff1aac..001a4676e0 100644
--- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
+++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
@@ -75,6 +75,8 @@ export default Ember.Service.extend({
 
   _processMessage: function(type, message, options, alertOptions) {
     this._clearMessagesIfRequired(alertOptions);
+    //escape html characters in the message
+    message = Ember.Handlebars.Utils.escapeExpression(message);
     let alertRecord = this._createAlert(message, type, options, alertOptions);
     if(alertRecord) {
       this.toggleProperty('alertsChanged');


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ambari.apache.org
For additional commands, e-mail: commits-help@ambari.apache.org