[SPARK-46893] Remove inline scripts from UI descriptions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.1
Fix Version/s: 4.0.0, 3.5.1, 3.4.3
Component/s: UI, Web UI
Labels:
- pull-request-available

Description

Users can inject inline scripts (e.g. onclick or onmouseover handlers) in the UI job and stage descriptions.

The UI already has precaution to treat, e.g., <script> tags as plain-text. But that doesn't extend to inline scripts.

Example:

Bad job descriptions

scala> sc.setJobDescription("""<a href="/link" onmouseover="alert('oops');">onmouseover</a>""")

scala> spark.sql("SELECT 1").show()
...

scala> sc.setJobDescription("""<a href="/link" onclick="alert('oops');">onclick</a>""")

scala> spark.sql("SELECT 1").show()
...

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Screen Recording 2024-01-28 at 17.51.47.mov
28/Jan/24 17:59
1.16 MB
Willi Raschkowski
Screenshot 2024-01-29 at 09.06.34.png
29/Jan/24 09:07
121 kB
Willi Raschkowski

Issue Links

links to

GitHub Pull Request #44933

Activity

People

Assignee:: Willi Raschkowski

Reporter:: Willi Raschkowski

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 28/Jan/24 17:59

Updated:: 30/Jan/24 06:44

Resolved:: 30/Jan/24 06:43