HBASE-1299 JSPs don't HTML escape literals (ie: table names, region names, start & end keys)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1416645 13f79535-47bb-0310-9956-ffa450edef68
2012-12-03 19:38:57 +00:00 · 2012-12-03 19:38:57 +00:00 · ee254fa233
parent 5a408cf256
commit ee254fa233
2 changed files with 14 additions and 12 deletions
--- a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
+++ b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
@ -18,11 +18,15 @@
 */
 --%>
 <%@ page contentType="text/html;charset=UTF-8"
+  import="static org.apache.commons.lang.StringEscapeUtils.escapeXml"
  import="java.util.HashMap"
+  import="java.util.List"
+  import="java.util.Map"
  import="org.apache.hadoop.conf.Configuration"
  import="org.apache.hadoop.hbase.client.HTable"
  import="org.apache.hadoop.hbase.client.HBaseAdmin"
  import="org.apache.hadoop.hbase.client.HConnectionManager"
+  import="org.apache.hadoop.hbase.HConstants"
  import="org.apache.hadoop.hbase.HRegionInfo"
  import="org.apache.hadoop.hbase.ServerName"
  import="org.apache.hadoop.hbase.ServerLoad"
@ -30,10 +34,7 @@
  import="org.apache.hadoop.hbase.master.HMaster" 
  import="org.apache.hadoop.hbase.util.Bytes"
  import="org.apache.hadoop.hbase.util.FSUtils"
-  import="org.apache.hadoop.hbase.protobuf.ProtobufUtil"
-  import="java.util.List"
-  import="java.util.Map"
-  import="org.apache.hadoop.hbase.HConstants"%><%
+  import="org.apache.hadoop.hbase.protobuf.ProtobufUtil"%><%
  HMaster master = (HMaster)getServletContext().getAttribute(HMaster.MASTER);
  Configuration conf = master.getConfiguration();
  HBaseAdmin hbadmin = new HBaseAdmin(conf);
@ -217,11 +218,11 @@
    String url = "http://" + metaLocation.getHostname() + ":" + infoPort + "/";
 %>
 <tr>
-  <td><%= meta.getRegionNameAsString() %></td>
+  <td><%= escapeXml(meta.getRegionNameAsString()) %></td>
    <td><a href="<%= url %>"><%= metaLocation.getHostname().toString() + ":" + infoPort %></a></td>
    <td>-</td>
-    <td><%= Bytes.toString(meta.getStartKey()) %></td>
-    <td><%= Bytes.toString(meta.getEndKey()) %></td>
+    <td><%= escapeXml(Bytes.toString(meta.getStartKey())) %></td>
+    <td><%= escapeXml(Bytes.toString(meta.getEndKey())) %></td>
 </tr>
 <%  } %>
 </table>
@ -281,7 +282,7 @@
    }
 %>
 <tr>
-  <td><%= Bytes.toStringBinary(regionInfo.getRegionName())%></td>
+  <td><%= escapeXml(Bytes.toStringBinary(regionInfo.getRegionName())) %></td>
  <%
  if (urlRegionServer != null) {
  %>
@ -295,8 +296,8 @@
  <%
  }
  %>
-  <td><%= Bytes.toStringBinary(regionInfo.getStartKey())%></td>
-  <td><%= Bytes.toStringBinary(regionInfo.getEndKey())%></td>
+  <td><%= escapeXml(Bytes.toStringBinary(regionInfo.getStartKey())) %></td>
+  <td><%= escapeXml(Bytes.toStringBinary(regionInfo.getEndKey())) %></td>
  <td><%= req%></td>
 </tr>
 <% } %>
--- a/hbase-server/src/main/resources/hbase-webapps/master/tablesDetailed.jsp
+++ b/hbase-server/src/main/resources/hbase-webapps/master/tablesDetailed.jsp
@ -18,6 +18,7 @@
 */
 --%>
 <%@ page contentType="text/html;charset=UTF-8"
+  import="static org.apache.commons.lang.StringEscapeUtils.escapeXml"
  import="java.util.*"
  import="org.apache.hadoop.util.StringUtils"
  import="org.apache.hadoop.conf.Configuration"
@ -89,8 +90,8 @@
 </tr>
 <%   for(HTableDescriptor htDesc : tables ) { %>
 <tr>
-    <td><%= htDesc.getNameAsString() %></td>
-    <td><%= htDesc.toString() %></td>
+    <td><%= escapeXml(htDesc.getNameAsString()) %></td>
+    <td><%= escapeXml(htDesc.toString()) %></td>
 </tr>
 <%   }  %>