[
https://issues.apache.org/jira/browse/SPARK-46893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dongjoon Hyun resolved SPARK-46893.
-----------------------------------
Fix Version/s: 3.4.3
3.5.1
4.0.0
Resolution: Fixed
Issue resolved by pull request 44933
[https://github.com/apache/spark/pull/44933]
> Remove inline scripts from UI descriptions
> ------------------------------------------
>
> Key: SPARK-46893
> URL: https://issues.apache.org/jira/browse/SPARK-46893
> Project: Spark
> Issue Type: Bug
> Components: UI, Web UI
> Affects Versions: 3.4.1
> Reporter: Willi Raschkowski
> Assignee: Willi Raschkowski
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.3, 3.5.1, 4.0.0
>
> Attachments: Screen Recording 2024-01-28 at 17.51.47.mov, Screenshot
> 2024-01-29 at 09.06.34.png
>
>
> Users can inject inline scripts (e.g. {{onclick}} or {{onmouseover}}
> handlers) in the UI job and stage descriptions.
> The UI already has precaution to treat, e.g., {{<script>}} tags as
> plain-text. But that doesn't extend to inline scripts.
> Example:
> {code:title=Bad job descriptions}
> scala> sc.setJobDescription("""<a href="/link"
> onmouseover="alert('oops');">onmouseover</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> scala> sc.setJobDescription("""<a href="/link"
> onclick="alert('oops');">onclick</a>""")
> scala> spark.sql("SELECT 1").show()
> ...
> {code}
> !Screenshot 2024-01-29 at 09.06.34.png|width=600!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
