[
https://issues.apache.org/jira/browse/FLINK-2789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephan Ewen resolved FLINK-2789.
---------------------------------
Resolution: Not A Problem
Fix Version/s: 0.10
The old web frontend that was affected by that is longer part of Flink and has
been replaced by the new web frontend.
> Vulnerability to XSS attack due to printing HTML output
> -------------------------------------------------------
>
> Key: FLINK-2789
> URL: https://issues.apache.org/jira/browse/FLINK-2789
> Project: Flink
> Issue Type: Bug
> Reporter: Ted Yu
> Priority: Minor
> Fix For: 0.10
>
>
> In
> flink-clients/src/main/java/org/apache/flink/client/web/PlanDisplayServlet.java
> :
> {code}
> 113 writer.println(" // register the event handler
> for the 'run' button and activate zoom Buttons\n"
> 114 + " activateZoomButtons();"
> 115 + "
> $('#run_button').click(function () {\n" + "
> $('#run_button').remove();\n"
> 116 + " $.ajax( {" + "
> url: '/runJob'," + " data: { action: 'runsubmitted', id: '" + uid + "' },"
> 117 + " success: function () {
> alert('Job succesfully submitted');"
> 118 + (this.runtimeVisURL != null
> ? (" window.location = \"" + this.runtimeVisURL + "\"; },") : " },")
> {code}
> Printing HTML output induces XSS vulnerability
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
