You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2009/03/30 19:52:50 UTC

[jira] Created: (HBASE-1299) JSPs don't HTML escape literals (ie: table names, region names, start & end keys)

JSPs don't HTML escape literals (ie: table names, region names, start & end keys)
---------------------------------------------------------------------------------

                 Key: HBASE-1299
                 URL: https://issues.apache.org/jira/browse/HBASE-1299
             Project: Hadoop HBase
          Issue Type: Bug
    Affects Versions: 0.19.1, 0.19.0
            Reporter: Hoss Man


similar to HBASE-1298, the various JSPs included with HBase for monitoring the system don't seem to do any HTML escaping when displaying user entered data which may contain special characters: table names, region names, start Keys, or end Keys

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-1299) JSPs don't HTML escape literals (ie: table names, region names, start & end keys)

Posted by "Lars George (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-1299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12695774#action_12695774 ] 

Lars George commented on HBASE-1299:
------------------------------------

I would have done this too while working on HBASE-1298 but I am not sure if there is nowadays an equivalent to the URLEncode class that does HTML codepoint conversions. Or maybe there is one somewhere already in the project in another library? Do you know?

If not this seems not to warrant adding for example Commons Lang:
  http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html

We could simply add a local helper that does the encoding, but I would like to know first from the boss if that is advisable or what the general approach to this is. Please advise.

> JSPs don't HTML escape literals (ie: table names, region names, start & end keys)
> ---------------------------------------------------------------------------------
>
>                 Key: HBASE-1299
>                 URL: https://issues.apache.org/jira/browse/HBASE-1299
>             Project: Hadoop HBase
>          Issue Type: Bug
>    Affects Versions: 0.19.0, 0.19.1
>            Reporter: Hoss Man
>
> similar to HBASE-1298, the various JSPs included with HBase for monitoring the system don't seem to do any HTML escaping when displaying user entered data which may contain special characters: table names, region names, start Keys, or end Keys

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-1299) JSPs don't HTML escape literals (ie: table names, region names, start & end keys)

Posted by "Hoss Man (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-1299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12695797#action_12695797 ] 

Hoss Man commented on HBASE-1299:
---------------------------------

it's been a while since i did anything with JSPs, but as i recall JSP 1.2 had a standard taglib for escaping variables when outputing them.

i would suggest that it might be worth while to convert all the JSPs to JSP 2.0 (aka: *.jspx) where escaping variables on output is the default, because both the templates and the output are garunteed to be wellformed XML (or xhtml if that's what you're goal is)

> JSPs don't HTML escape literals (ie: table names, region names, start & end keys)
> ---------------------------------------------------------------------------------
>
>                 Key: HBASE-1299
>                 URL: https://issues.apache.org/jira/browse/HBASE-1299
>             Project: Hadoop HBase
>          Issue Type: Bug
>    Affects Versions: 0.19.0, 0.19.1
>            Reporter: Hoss Man
>
> similar to HBASE-1298, the various JSPs included with HBase for monitoring the system don't seem to do any HTML escaping when displaying user entered data which may contain special characters: table names, region names, start Keys, or end Keys

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.