sarutak commented on code in PR #54589:
URL: https://github.com/apache/spark/pull/54589#discussion_r2880122750
##########
core/src/main/resources/org/apache/spark/ui/static/executorspage.js:
##########
@@ -46,6 +46,149 @@ function getHeapHistogramEnabled() {
return heapHistogramEnabled;
}
+function loadScript(src) {
+ return new Promise(function(resolve, reject) {
+ if (document.querySelector('script[src="' + src + '"]')) {
+ resolve();
+ return;
+ }
+ var s = document.createElement('script');
+ s.src = src;
+ s.onload = resolve;
+ s.onerror = reject;
+ document.head.appendChild(s);
+ });
+}
+
+function openDetailOffcanvas(url, title) {
+ var offcanvasEl = document.getElementById('executor-detail-offcanvas');
+ var offcanvasBody =
document.getElementById('executor-detail-offcanvas-body');
+ var offcanvasLabel =
document.getElementById('executor-detail-offcanvas-label');
+ offcanvasLabel.textContent = title;
+ offcanvasBody.innerHTML = '<div class="d-flex justify-content-center p-5">' +
+ '<div class="spinner-border text-primary" role="status">' +
+ '<span class="visually-hidden">Loading...</span></div></div>';
+ var bsOffcanvas = bootstrap.Offcanvas.getOrCreateInstance(offcanvasEl);
+ bsOffcanvas.show();
+ $.get(url, function(html) {
+ var parser = new DOMParser();
+ var doc = parser.parseFromString(html, 'text/html');
+ var container = doc.querySelector('.container-fluid');
+ if (container) {
+ // Strip non-executable script/link tags from flamegraph chart before
injecting
+ var fgChart = container.querySelector('#executor-flamegraph-chart');
+ if (fgChart) {
+ fgChart.querySelectorAll('script, link').forEach(function(el) {
el.remove(); });
+ }
+ offcanvasBody.innerHTML = container.innerHTML;
Review Comment:
How about sanitizing whole `container` rather than`fgChart` which is a part
of `container` ?
##########
core/src/main/resources/org/apache/spark/ui/static/executorspage.js:
##########
@@ -589,14 +732,14 @@ $(document).ready(function () {
name: 'threadDumpCol',
data: function (row) { return row.isActive ? row.id : '' },
render: function (data, type) {
- return data != '' && type === 'display' ? ("<a
href='threadDump/?executorId=" + data + "'>Thread Dump</a>" ) : data;
+ return data != '' && type === 'display' ? ("<a
href='javascript:void(0)' class='offcanvas-link'
data-detail-url='threadDump/?executorId=" + encodeURIComponent(data) + "'
data-detail-title='Thread Dump for Executor " + data + "'>Thread Dump</a>" ) :
data;
Review Comment:
`javascript:void(0)` seems not actually evaluated by popular browsers so
this part doesn't cause a problem but how about relpace `href='void(0)` to
`href='#'` here and the other place to comply with CSP?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
