You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Enis Soztutar (JIRA)" <ji...@apache.org> on 2012/11/30 03:19:58 UTC

[jira] [Resolved] (HBASE-5968) Proper html escaping for region names

     [ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Enis Soztutar resolved HBASE-5968.
----------------------------------

    Resolution: Duplicate

Closing this in favor of HBASE-1299
                
> Proper html escaping for region names
> -------------------------------------
>
>                 Key: HBASE-5968
>                 URL: https://issues.apache.org/jira/browse/HBASE-5968
>             Project: HBase
>          Issue Type: Bug
>          Components: util
>    Affects Versions: 0.96.0
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like: 
> {code}
> <tr>
>   <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>   
>   <td>
>     <a href="hostname">hostname</a>
>   </td>
>   
>   <td>,\xEEp/<T\xBE\xC0</td>
>   <td>-n\xA8\xE0\x15\xDD\x80!</td>
>   <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly. 
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if  the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira