[HADOOP-6151] The servlets should quote html characters - ASF JIRA

XML

Word

Printable

JSON

Hadoop Flags:

Reviewed
Release Note:

Hide
The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

Show
The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.

relates to

HADOOP-4487 Security features for Hadoop