YARN-1932. Javascript injection on the job status page. Contributed by Mit Desai
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1588572 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8d569c2220
commit
d667df4ed0
@ -147,6 +147,9 @@ Release 2.4.1 - UNRELEASED
|
||||
YARN-1281. Fixed TestZKRMStateStoreZKClientConnections to not fail
|
||||
intermittently due to ZK-client timeouts. (Tsuyoshi Ozawa via vinodkv)
|
||||
|
||||
YARN-1932. Javascript injection on the job status page (Mit Desai via
|
||||
jlowe)
|
||||
|
||||
Release 2.4.0 - 2014-04-07
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -62,11 +62,11 @@ public class InfoBlock extends HtmlBlock {
|
||||
DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv;
|
||||
for ( String line :lines) {
|
||||
singleLineDiv = td.div();
|
||||
singleLineDiv._r(line);
|
||||
singleLineDiv._(line);
|
||||
singleLineDiv._();
|
||||
}
|
||||
} else {
|
||||
td._r(value);
|
||||
td._(value);
|
||||
}
|
||||
td._();
|
||||
} else {
|
||||
|
@ -21,6 +21,7 @@ package org.apache.hadoop.yarn.webapp.view;
|
||||
import java.io.PrintWriter;
|
||||
import java.io.StringWriter;
|
||||
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import org.apache.hadoop.yarn.webapp.ResponseInfo;
|
||||
@ -34,6 +35,33 @@ public class TestInfoBlock {
|
||||
|
||||
public static PrintWriter pw;
|
||||
|
||||
static final String JAVASCRIPT = "<script>alert('text')</script>";
|
||||
static final String JAVASCRIPT_ESCAPED =
|
||||
"<script>alert('text')</script>";
|
||||
|
||||
public static class JavaScriptInfoBlock extends InfoBlock{
|
||||
|
||||
static ResponseInfo resInfo;
|
||||
|
||||
static {
|
||||
resInfo = new ResponseInfo();
|
||||
resInfo._("User_Name", JAVASCRIPT);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PrintWriter writer() {
|
||||
return TestInfoBlock.pw;
|
||||
}
|
||||
|
||||
JavaScriptInfoBlock(ResponseInfo info) {
|
||||
super(resInfo);
|
||||
}
|
||||
|
||||
public JavaScriptInfoBlock() {
|
||||
super(resInfo);
|
||||
}
|
||||
}
|
||||
|
||||
public static class MultilineInfoBlock extends InfoBlock{
|
||||
|
||||
static ResponseInfo resInfo;
|
||||
@ -78,4 +106,13 @@ public class TestInfoBlock {
|
||||
+ " This is second line.%n </div>%n");
|
||||
assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData));
|
||||
}
|
||||
|
||||
@Test(timeout=60000L)
|
||||
public void testJavaScriptInfoBlock() throws Exception{
|
||||
WebAppTests.testBlock(JavaScriptInfoBlock.class);
|
||||
TestInfoBlock.pw.flush();
|
||||
String output = TestInfoBlock.sw.toString();
|
||||
assertFalse(output.contains("<script>"));
|
||||
assertTrue(output.contains(JAVASCRIPT_ESCAPED));
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user