You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by wu...@apache.org on 2022/11/14 16:36:59 UTC
[ambari] branch trunk updated: AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
This is an automated email from the ASF dual-hosted git repository.
wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 379c98e84f AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
379c98e84f is described below
commit 379c98e84feac7c53dcff8b739b0dedf4d2345f9
Author: Zhiguo Wu <wu...@apache.org>
AuthorDate: Tue Nov 15 00:36:53 2022 +0800
AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490)
---
.../views/files/src/main/resources/ui/app/components/delete-modal.js | 2 +-
.../views/files/src/main/resources/ui/app/services/alert-messages.js | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
index cb71ba7b92..49f6e9dd25 100644
--- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
+++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
@@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, {
this.set('hasError', true);
this.set('currentFailedPath', error.failed);
this.set('currentServerFailureMessage', error.message);
- this.set('currentFailureMessage', `Failed to delete <strong>${error.failed}</strong>.`);
+ this.set('currentFailureMessage', `Failed to delete <strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`);
this.set('shouldRetry', error.retry);
this.set('currentUnprocessedPaths', error.unprocessed);
} else {
diff --git a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
index ed4cff1aac..001a4676e0 100644
--- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
+++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
@@ -75,6 +75,8 @@ export default Ember.Service.extend({
_processMessage: function(type, message, options, alertOptions) {
this._clearMessagesIfRequired(alertOptions);
+ //escape html characters in the message
+ message = Ember.Handlebars.Utils.escapeExpression(message);
let alertRecord = this._createAlert(message, type, options, alertOptions);
if(alertRecord) {
this.toggleProperty('alertsChanged');
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ambari.apache.org
For additional commands, e-mail: commits-help@ambari.apache.org