HBASE-15270 Use appropriate encoding for "filter" field in TaskMonitorTmpl.jamon.

Signed-off-by: chenheng <chenheng@apache.org>
2016-02-16 12:04:37 +01:00 · 2016-02-16 12:04:37 +01:00 · bba4f107c1
parent c7eb72a91c
commit bba4f107c1
1 changed files with 11 additions and 1 deletions
--- a/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/common/TaskMonitorTmpl.jamon
+++ b/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/common/TaskMonitorTmpl.jamon
@ -20,12 +20,22 @@ limitations under the License.
 java.util.*;
 org.apache.hadoop.hbase.monitoring.*;
 org.apache.hadoop.util.StringUtils;
+org.owasp.esapi.ESAPI;
+org.owasp.esapi.errors.EncodingException;
 </%import>
 <%args>
 TaskMonitor taskMonitor = TaskMonitor.get();
 String filter = "general";
 String format = "html";
 </%args>
+<%class>
+    public String encodeFilter() {
+    try {
+    return ESAPI.encoder().encodeForURL(filter);
+    }catch(EncodingException e) {}
+    return ESAPI.encoder().encodeForHTML(filter);
+    }
+</%class>
 <%java>
 List<? extends MonitoredTask> tasks = taskMonitor.getTasks();
 Iterator<? extends MonitoredTask> iter = tasks.iterator();
@ -62,7 +72,7 @@ boolean first = true;
    <li <%if filter.equals("handler")%>class="active"</%if>><a href="?filter=handler">Show All RPC Handler Tasks</a></li>
    <li <%if filter.equals("rpc")%>class="active"</%if>><a href="?filter=rpc">Show Active RPC Calls</a></li>
    <li <%if filter.equals("operation")%>class="active"</%if>><a href="?filter=operation">Show Client Operations</a></li>
-    <li><a href="?format=json&filter=<% filter %>">View as JSON</a></li>
+    <li><a href="?format=json&filter=<% encodeFilter() %>">View as JSON</a></li>
  </ul>
  <%if tasks.isEmpty()%>
    <p>No tasks currently running on this node.</p>