Uploaded image for project: 'Hue'
  1. Hue
  2. HUE-2396

Fix Cross-Site Scripting(XSS) Vulnerability

    Details

      Description

      HUE's home page and Hive query editor beeswas have XSS vulnerbilities, which can be broken by malicious user input.
      For example, malicious users are able to break HUE home page by creating a project with name "asdas ><script>alert(5)</script>”, and break beeswax by submitting a query like "</code><img src=x onerror="javascript:alert(4) " />”.
      This patch adds proper html encoding to user input on HUE home page and beeswax to prevent XSS attack.

        Attachments

          Activity

            People

            • Assignee:
              viditochani Vidit Ochani
              Reporter:
              viditochani Vidit Ochani
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: