[ https://issues.apache.org/jira/browse/YARN-1932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arun C Murthy updated YARN-1932: -------------------------------- Priority: Blocker (was: Critical) > Javascript injection on the job status page > ------------------------------------------- > > Key: YARN-1932 > URL: https://issues.apache.org/jira/browse/YARN-1932 > Project: Hadoop YARN > Issue Type: Bug > Affects Versions: 3.0.0, 0.23.9, 2.5.0 > Reporter: Mit Desai > Assignee: Mit Desai > Priority: Blocker > Attachments: YARN-1932.patch > > > Scripts can be injected into the job status page as the diagnostics field is > not sanitized. Whatever string you set there will show up to the jobs page as > it is ... ie. if you put any script commands, they will be executed in the > browser of the user who is opening the page. > We need escaping the diagnostic string in order to not run the scripts. -- This message was sent by Atlassian JIRA (v6.2#6252)