This is an automated email from the ASF dual-hosted git repository. moon pushed a commit to branch branch-0.8 in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/branch-0.8 by this push: new c8eabde ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach c8eabde is described below commit c8eabde13f226fd0647c623e6eb67170768d02d1 Author: Akhil Subhash Naik <asn...@hortonworks.com> AuthorDate: Thu Sep 19 11:25:40 2019 +0530 ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach ### What is this PR for? Fix of : ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach Issue reproduction steps : 1) create a notebook 2) give the permission to notebook as : <script>alert('hi')</script> (press space after writing this, not enter key) 3) after this, try to delete the notebook, the BootstrapDialog that popups stating insufficient privilages is vulnerable to XSS attack ### What type of PR is it? BUG FIX ZEPPELIN-4335 ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-4335 ### How should this be tested? Test as per reproduction steps : 1) create a notebook 2) give the permission to notebook as : <script>alert('hi')</script> (press space after writing this, not enter key) 3) after this, try to delete the notebook, the BootstrapDialog that popups stating insufficient privilages is vulnerable to XSS attack ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Akhil Subhash Naik <asn...@hortonworks.com> Closes #3452 from Akhilsnaik/ZEPPELIN-4335 and squashes the following commits: 95212d846 [Akhil Subhash Naik] ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach (asnaik) (cherry picked from commit f9e2ff8ff8316e973957041b0f213ce7651cab1c) Signed-off-by: Lee moon soo <m...@apache.org> --- zeppelin-web/src/components/websocket/websocket-event.factory.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zeppelin-web/src/components/websocket/websocket-event.factory.js b/zeppelin-web/src/components/websocket/websocket-event.factory.js index 8698fdf..dd4f17b 100644 --- a/zeppelin-web/src/components/websocket/websocket-event.factory.js +++ b/zeppelin-web/src/components/websocket/websocket-event.factory.js @@ -105,7 +105,7 @@ function WebsocketEventFactory($rootScope, $websocket, $location, baseUrlSrv, ng closeByBackdrop: false, closeByKeyboard: false, title: 'Insufficient privileges', - message: data.info.toString(), + message: _.escape(data.info.toString()), buttons: btn, }); } else if (op === 'PARAGRAPH') {