Willi Raschkowski created SPARK-46893:
-----------------------------------------
Summary: Sanitize UI descriptions from inline scripts
Key: SPARK-46893
URL: https://issues.apache.org/jira/browse/SPARK-46893
Project: Spark
Issue Type: Bug
Components: UI, Web UI
Affects Versions: 3.4.1
Reporter: Willi Raschkowski
Attachments: Screen Recording 2024-01-28 at 17.51.47.mov
Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}} handlers)
in the UI job and stage descriptions.
The UI already has precaution to treat, e.g., {{<script>}} tags as plain-text.
But that doesn't extend to inline scripts.
{code:title=Bad job descriptions}
scala> sc.setJobDescription("""<a href="/link"
onmouseover="alert('oops');">onmouseover</a>""")
scala> spark.sql("SELECT 1").show()
...
scala> sc.setJobDescription("""<a href="/link"
onclick="alert('oops');">onclick</a>""")
scala> spark.sql("SELECT 1").show()
...
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
