You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2014/04/28 19:08:20 UTC
[jira] [Created] (YARN-1993) Cross-site scripting vulnerability in
TextView.java
Ted Yu created YARN-1993:
----------------------------
Summary: Cross-site scripting vulnerability in TextView.java
Key: YARN-1993
URL: https://issues.apache.org/jira/browse/YARN-1993
Project: Hadoop YARN
Issue Type: Bug
Reporter: Ted Yu
In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :
{code}
for (Object s : args) {
out.print(s);
}
{code}
Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.
--
This message was sent by Atlassian JIRA
(v6.2#6252)