HDDS-2111. XSS fragments can be injected to the S3g landing page

Signed-off-by: Anu Engineer <aengineer@apache.org>
This commit is contained in:
Márton Elek 2019-09-14 05:33:05 +02:00 committed by Anu Engineer
parent 66bd1681f8
commit 2358e53e9c
2 changed files with 29 additions and 2 deletions

View File

@ -21,6 +21,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="Apache Hadoop Ozone S3 gateway">
@ -68,12 +69,15 @@ <h1>S3 gateway</h1>
<p>For example with aws-cli:</p>
<pre>aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre>
<pre>aws s3api --endpoint <span id="s3gurl"></span> create-bucket --bucket=wordcount</pre>
<p>For more information, please check the <a href="docs">documentation.</a>
</p>
</div><!-- /.container -->
<script src="static/bootstrap-3.4.1/js/bootstrap.min.js"></script>
<script src="jquery-3.4.1.min.js"></script>
<script src="bootstrap-3.4.1/js/bootstrap.min.js"></script>
<script src="s3g.js"></script>
</body>
</html>

View File

@ -0,0 +1,23 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
window.onload = function () {
var safeurl = window.location.protocol + "//" + window.location.host + window.location.pathname;
safeurl = safeurl.replace("static/", "");
document.getElementById('s3gurl').innerHTML = safeurl;
};