GitHub user n-marion opened a pull request: https://github.com/apache/spark/pull/17686
[SPARK-20393][Webu UI] Strengthen Spark to prevent XSS vulnerabilities ## What changes were proposed in this pull request? Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these functions at any point that getParameter is called against a HttpServletRequest. ## How was this patch tested? Unit tests, IBM Security AppScan Standard no longer showing vulnerabilities, manual verification of WebUI pages. You can merge this pull request into a Git repository by running: $ git pull https://github.com/n-marion/spark xss-fix Alternatively you can review and apply these changes as the patch at: https://github.com/apache/spark/pull/17686.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #17686 ---- commit 6bdc629380f9e0b65700b5ebe47e35e257f6ddae Author: NICHOLAS T. MARION <nmar...@us.ibm.com> Date: 2017-04-10T15:14:09Z UIUtils.stripXSS added for each page calling request.getParameter. commit c812f2ecfb6d9c22362e72914a1f454aaf49d2ba Author: NICHOLAS T. MARION <nmar...@us.ibm.com> Date: 2017-04-10T15:52:38Z Perform stripXSS on creation of allParameters mapping commit 06a67914d72618c5f3a0bc70e7576863c9872a0c Author: NICHOLAS T. MARION <nmar...@us.ibm.com> Date: 2017-04-11T20:39:01Z getParameterMap returns Array[String], created new function to handle ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org