This is an automated email from the ASF dual-hosted git repository. wuzhiguo pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push: new 379c98e84f AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490) 379c98e84f is described below commit 379c98e84feac7c53dcff8b739b0dedf4d2345f9 Author: Zhiguo Wu <wuzhi...@apache.org> AuthorDate: Tue Nov 15 00:36:53 2022 +0800 AMBARI-25384: Ambari Files View is Vulnerable to XSS attack (#3490) --- .../views/files/src/main/resources/ui/app/components/delete-modal.js | 2 +- .../views/files/src/main/resources/ui/app/services/alert-messages.js | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js index cb71ba7b92..49f6e9dd25 100644 --- a/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js +++ b/contrib/views/files/src/main/resources/ui/app/components/delete-modal.js @@ -80,7 +80,7 @@ export default Ember.Component.extend(OperationModal, { this.set('hasError', true); this.set('currentFailedPath', error.failed); this.set('currentServerFailureMessage', error.message); - this.set('currentFailureMessage', `Failed to delete <strong>${error.failed}</strong>.`); + this.set('currentFailureMessage', `Failed to delete <strong>${Ember.Handlebars.Utils.escapeExpression(error.failed)}</strong>.`); this.set('shouldRetry', error.retry); this.set('currentUnprocessedPaths', error.unprocessed); } else { diff --git a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js index ed4cff1aac..001a4676e0 100644 --- a/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js +++ b/contrib/views/files/src/main/resources/ui/app/services/alert-messages.js @@ -75,6 +75,8 @@ export default Ember.Service.extend({ _processMessage: function(type, message, options, alertOptions) { this._clearMessagesIfRequired(alertOptions); + //escape html characters in the message + message = Ember.Handlebars.Utils.escapeExpression(message); let alertRecord = this._createAlert(message, type, options, alertOptions); if(alertRecord) { this.toggleProperty('alertsChanged'); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@ambari.apache.org For additional commands, e-mail: commits-h...@ambari.apache.org