You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2014/04/28 19:08:20 UTC

[jira] [Created] (YARN-1993) Cross-site scripting vulnerability in TextView.java

Ted Yu created YARN-1993:
----------------------------

             Summary: Cross-site scripting vulnerability in TextView.java
                 Key: YARN-1993
                 URL: https://issues.apache.org/jira/browse/YARN-1993
             Project: Hadoop YARN
          Issue Type: Bug
            Reporter: Ted Yu


In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :
{code}
    for (Object s : args) {
      out.print(s);
    }
{code}
Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.2#6252)