You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by as...@apache.org on 2019/10/01 09:27:55 UTC
[ambari] branch branch-2.7 updated: AMBARI-25384 Ambari Files View
is Vulnerable to XSS attack (asnaik) (#3088)
This is an automated email from the ASF dual-hosted git repository.
asnaik pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new 4708077 AMBARI-25384 Ambari Files View is Vulnerable to XSS attack (asnaik) (#3088)
4708077 is described below
commit 47080774506b7011b02e4d6f7afba16c87f212b6
Author: Asnaik HWX <as...@hortonworks.com>
AuthorDate: Tue Oct 1 14:57:48 2019 +0530
AMBARI-25384 Ambari Files View is Vulnerable to XSS attack (asnaik) (#3088)
---
.../views/files/src/main/resources/ui/app/components/delete-modal.js | 2 +-
.../views/files/src/main/resources/ui/app/services/alert-messages.js | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
index cb71ba7..49f6e9d 100644
--- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
+++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js
@@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, {
this.set('hasError', true);
this.set('currentFailedPath', error.failed);
this.set('currentServerFailureMessage', error.message);
- this.set('currentFailureMessage', `Failed to delete <strong>${error.failed}</strong>.`);
+ this.set('currentFailureMessage', `Failed to delete <strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`);
this.set('shouldRetry', error.retry);
this.set('currentUnprocessedPaths', error.unprocessed);
} else {
diff --git a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
index ed4cff1..001a467 100644
--- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
+++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js
@@ -75,6 +75,8 @@ export default Ember.Service.extend({
_processMessage: function(type, message, options, alertOptions) {
this._clearMessagesIfRequired(alertOptions);
+ //escape html characters in the message
+ message = Ember.Handlebars.Utils.escapeExpression(message);
let alertRecord = this._createAlert(message, type, options, alertOptions);
if(alertRecord) {
this.toggleProperty('alertsChanged');