Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-6151

The servlets should quote html characters

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 0.21.0
    • security
    • None
    • Reviewed
    • Hide
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.
      Show
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

    Description

      We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.

      Attachments

        1. h6151.20.patch
          14 kB
          Devaraj Das
        2. h6151.patch
          14 kB
          Owen O'Malley
        3. h6151.patch
          14 kB
          Owen O'Malley
        4. h6151.patch
          14 kB
          Owen O'Malley
        5. h6151.patch
          14 kB
          Owen O'Malley

        Issue Links

          Activity

            People

              omalley Owen O'Malley
              omalley Owen O'Malley
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: