From 4b3e38705cb24aee82615b1b9af47ed549ea1358 Mon Sep 17 00:00:00 2001
From: chenheng <chenheng@apache.org>
Date: Thu, 3 Mar 2016 12:07:00 +0800
Subject: [PATCH] HBASE-15329 Cross-Site Scripting: Reflected in table.jsp
 (Samir Ahmic)

---
 .../src/main/resources/hbase-webapps/master/table.jsp        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
index a3372aef6a4..8a835652ce7 100644
--- a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
+++ b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
@@ -24,6 +24,7 @@
   import="java.util.Map"
   import="java.util.Set"
   import="java.util.Collection"
+  import="org.owasp.esapi.ESAPI"
   import="org.apache.hadoop.conf.Configuration"
   import="org.apache.hadoop.hbase.client.HTable"
   import="org.apache.hadoop.hbase.client.Admin"
@@ -74,7 +75,7 @@
     <% if ( !readOnly && action != null ) { %>
         <title>HBase Master: <%= master.getServerName() %></title>
     <% } else { %>
-        <title>Table: <%= fqtn %></title>
+        <title>Table: <%= ESAPI.encoder().encodeForHTML(fqtn) %></title>
     <% } %>
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description" content="">
@@ -169,7 +170,7 @@ if ( fqtn != null ) {
 <div class="container-fluid content">
     <div class="row inner_header">
         <div class="page-header">
-            <h1>Table <small><%= fqtn %></small></h1>
+            <h1>Table <small><%= ESAPI.encoder().encodeForHTML(fqtn) %></small></h1>
         </div>
     </div>
     <div class="row">