[jira] [Commented] (YARN-1993) Cross-site scripting vulnerability in TextView.java

Tsuyoshi Ozawa (JIRA) Sat, 02 May 2015 18:47:21 -0700

    [ 
https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14525592#comment-14525592
 ]


Tsuyoshi Ozawa commented on YARN-1993:
--------------------------------------

Warnings by javac and javadoc are not related to the patch.

> Cross-site scripting vulnerability in TextView.java
> ---------------------------------------------------
>
>                 Key: YARN-1993
>                 URL: https://issues.apache.org/jira/browse/YARN-1993
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>            Reporter: Ted Yu
>            Assignee: Kenji Kikushima
>         Attachments: YARN-1993.patch
>
>
> In 
> hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
>  , method echo() e.g. :
> {code}
>     for (Object s : args) {
>       out.print(s);
>     }
> {code}
> Printing s to an HTML page allows cross-site scripting, because it was not 
> properly sanitized for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (YARN-1993) Cross-site scripting vulnerability in TextView.java

Reply via email to