t oo created AIRFLOW-6351:
-----------------------------
Summary: security - ui - Add Cross Site Scripting defence
Key: AIRFLOW-6351
URL: https://issues.apache.org/jira/browse/AIRFLOW-6351
Project: Apache Airflow
Issue Type: Bug
Components: ui
Affects Versions: 1.10.6, 1.10.7
Reporter: t oo
*escape search -->*
*BEFORE*
return self.render(
'airflow/dags.html',
webserver_dags=webserver_dags_filtered,
orm_dags=orm_dags,
hide_paused=hide_paused,
current_page=current_page,
search_query=arg_search_query if arg_search_query else '',
page_size=dags_per_page,
num_of_pages=num_of_pages,
num_dag_from=start + 1,
num_dag_to=min(end, num_of_all_dags),
num_of_all_dags=num_of_all_dags,
paging=wwwutils.generate_pages(current_page, num_of_pages,
{color:#FF0000}search=arg_search_query,{color}
showPaused=not hide_paused),
dag_ids_in_page=page_dag_ids,
auto_complete_data=auto_complete_data)
*AFTER*
return self.render(
'airflow/dags.html',
webserver_dags=webserver_dags_filtered,
orm_dags=orm_dags,
hide_paused=hide_paused,
current_page=current_page,
search_query=arg_search_query if arg_search_query else '',
page_size=dags_per_page,
num_of_pages=num_of_pages,
num_dag_from=start + 1,
num_dag_to=min(end, num_of_all_dags),
num_of_all_dags=num_of_all_dags,
paging=wwwutils.generate_pages(current_page, num_of_pages,
{color:#FF0000}search=escape(arg_search_query) if arg_search_query else
None,{color}
showPaused=not hide_paused),
dag_ids_in_page=page_dag_ids,
auto_complete_data=auto_complete_data)
[https://github.com/apache/airflow/blob/v1-10-stable/airflow/www/views.py#L2278]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
