You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Mit Desai (JIRA)" <ji...@apache.org> on 2014/04/11 17:18:15 UTC
[jira] [Created] (YARN-1932) Javascript injection on the job status
page
Mit Desai created YARN-1932:
-------------------------------
Summary: Javascript injection on the job status page
Key: YARN-1932
URL: https://issues.apache.org/jira/browse/YARN-1932
Project: Hadoop YARN
Issue Type: Bug
Affects Versions: 0.23.9, 3.0.0, 2.5.0
Reporter: Mit Desai
Assignee: Mit Desai
Priority: Critical
Scripts can be injected into the job status page as the diagnostics field is
not sanitized. Whatever string you set there will show up to the jobs page as it is ... ie. if you put any script commands, they will be executed in the browser of the user who is opening the page.
We need escaping the diagnostic string in order to not run the scripts.
--
This message was sent by Atlassian JIRA
(v6.2#6252)