You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/03/28 23:41:41 UTC

[jira] [Commented] (AIRFLOW-1047) Airflow logs vulnerable to XSS

    [ https://issues.apache.org/jira/browse/AIRFLOW-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946220#comment-15946220 ] 

ASF subversion and git services commented on AIRFLOW-1047:
----------------------------------------------------------

Commit fe9ebe3ccf5fec4c491343659aa0c52e4125f66b in incubator-airflow's branch refs/heads/master from [~saguziel]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=fe9ebe3 ]

[AIRFLOW-1047] Sanitize strings passed to Markup

We add the Apache-licensed bleach library and use
it to sanitize html
passed to Markup (which is supposed to be already
escaped). This avoids
some XSS issues with unsanitized user input being
displayed.

Closes #2193 from saguziel/aguziel-xss


> Airflow logs vulnerable to XSS
> ------------------------------
>
>                 Key: AIRFLOW-1047
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1047
>             Project: Apache Airflow
>          Issue Type: Bug
>            Reporter: Alex Guziel
>            Assignee: Alex Guziel
>             Fix For: 1.9.0
>
>
> Navigating to a page with dag_id param specified as a html tag leads to that tag being rendered due to using Markup tag (which makes html be labeled as safe)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)