[
https://issues.apache.org/jira/browse/SPARK-46893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17811850#comment-17811850
]
Willi Raschkowski edited comment on SPARK-46893 at 1/29/24 12:15 PM:
---------------------------------------------------------------------
cc [~dongjoon], for your awareness as PMC who's recently touched the UI.
I'm wondering if we should file a CVE for this.
was (Author: raschkowski):
[~dongjoon], for your awareness as PMC who's recently touched the UI.
I'm wondering if we should file a CVE for this.
> Remove inline scripts from UI descriptions
> ------------------------------------------
>
> Key: SPARK-46893
> URL: https://issues.apache.org/jira/browse/SPARK-46893
> Project: Spark
> Issue Type: Bug
> Components: UI, Web UI
> Affects Versions: 3.4.1
> Reporter: Willi Raschkowski
> Priority: Major
> Labels: pull-request-available
> Attachments: Screen Recording 2024-01-28 at 17.51.47.mov, Screenshot
> 2024-01-29 at 09.06.34.png
>
>
> Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}}
> handlers) in the UI job and stage descriptions.
> The UI already has precaution to treat, e.g., {{<script>}} tags as
> plain-text. But that doesn't extend to inline scripts.
> Example:
> {code:title=Bad job descriptions}
> scala> sc.setJobDescription("""<a href="/link"
> onmouseover="alert('oops');">onmouseover</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> scala> sc.setJobDescription("""<a href="/link"
> onclick="alert('oops');">onclick</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> {code}
> !Screenshot 2024-01-29 at 09.06.34.png|width=600!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
