Simple patch to fix the issue.

Just encountered this

+1!

I tested by submitting a bad job name (with a new line and an embedded image HTML tag).
1. With only escapeHtml, the new line causes the Javascript parser to throw an error
2. With only escapeJavascript, the embedded HTML image was rendered. This could lead to XSS
3. Javascript escaping the Html escaped string (as in the patch), got the correct behavior.

-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12560316/YARN-266.patch
against trunk revision .

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.

+1 javac. The applied patch does not increase the total number of javac compiler warnings.

+1 javadoc. The javadoc tool did not generate any warning messages.

+1 eclipse:eclipse. The patch built with eclipse:eclipse.

+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

+1 release audit. The applied patch does not increase the total number of release audit warnings.

+1 core tests. The patch passed unit tests in hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager.

+1 contrib tests. The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-YARN-Build/213//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/213//console

This message is automatically generated.

+1, will commit shortly.

Thanks, Ravi. I committed this to trunk, branch-2, and branch-0.23.

Integrated in Hadoop-trunk-Commit #3111 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3111/)
YARN-266. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

• /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
• /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
• /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Integrated in Hadoop-Yarn-trunk #63 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/63/)
YARN-266. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

• /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
• /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
• /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Integrated in Hadoop-Hdfs-0.23-Build #461 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/461/)
svn merge -c 1420232 FIXES: YARN-266. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420234)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420234
Files :

• /hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
• /hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt
• /hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Integrated in Hadoop-Hdfs-trunk #1252 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1252/)
YARN-266. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = FAILURE
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

• /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
• /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
• /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Integrated in Hadoop-Mapreduce-trunk #1283 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1283/)
YARN-266. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

• /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
• /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
• /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java