[ https://issues.apache.org/jira/browse/SPARK-46893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun resolved SPARK-46893. ----------------------------------- Fix Version/s: 3.4.3 3.5.1 4.0.0 Resolution: Fixed Issue resolved by pull request 44933 [https://github.com/apache/spark/pull/44933] > Remove inline scripts from UI descriptions > ------------------------------------------ > > Key: SPARK-46893 > URL: https://issues.apache.org/jira/browse/SPARK-46893 > Project: Spark > Issue Type: Bug > Components: UI, Web UI > Affects Versions: 3.4.1 > Reporter: Willi Raschkowski > Assignee: Willi Raschkowski > Priority: Major > Labels: pull-request-available > Fix For: 3.4.3, 3.5.1, 4.0.0 > > Attachments: Screen Recording 2024-01-28 at 17.51.47.mov, Screenshot > 2024-01-29 at 09.06.34.png > > > Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}} > handlers) in the UI job and stage descriptions. > The UI already has precaution to treat, e.g., {{<script>}} tags as > plain-text. But that doesn't extend to inline scripts. > Example: > {code:title=Bad job descriptions} > scala> sc.setJobDescription("""<a href="/link" > onmouseover="alert('oops');">onmouseover</a>""") > scala> spark.sql("SELECT 1").show() > ... > scala> sc.setJobDescription("""<a href="/link" > onclick="alert('oops');">onclick</a>""") > scala> spark.sql("SELECT 1").show() > ... > {code} > !Screenshot 2024-01-29 at 09.06.34.png|width=600! -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org