Skip to content

[SPARK-53337] XSS: Ensure the application name in historypage get escaped #52851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[SPARK-53337] XSS: Ensure the application name in historypage get escaped #52851

wants to merge 3 commits into from
+11 −1

Conversation

@Chhida
Copy link

@Chhida Chhida commented Nov 3, 2025

What changes were proposed in this pull request?

In history Server main dashboard, the application name need to be escaped.

Why are the changes needed?

Not escaped app name could lead to XSS
Exemple:
cat << EOF > script.py
from pyspark.sql import SparkSession
if name == "main":
spark = SparkSession
.builder
.appName("<img src=x onerror=alert(/jedi master/)><script>alert(/Hello there/)</script>")
.getOrCreate()
print(spark.range(1000 * 1000 * 1000).count())
spark.stop()
EOF

Does this PR introduce any user-facing change?

No

How was this patch tested?

Tests already exist, it was manually tested.

Was this patch authored or co-authored using generative AI tooling?

No

@github-actions github-actions bot added the WEB UI label Nov 3, 2025
@github-actions github-actions bot added the INFRA label Nov 3, 2025
@github-actions github-actions bot removed the INFRA label Nov 3, 2025
@Chhida Chhida changed the title Ensure the application name in historypage get escaped XSS: Ensure the application name in historypage get escaped Nov 3, 2025
dongjoon-hyun
dongjoon-hyun requested changes Nov 3, 2025
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @Chhida . Could you file a JIRA issue?

@Chhida Chhida changed the title XSS: Ensure the application name in historypage get escaped [SPARK-53337] XSS: Ensure the application name in historypage get escaped Nov 4, 2025
@Chhida
Copy link
Author

Chhida commented Nov 4, 2025
edited
Loading

Thank you, @Chhida . Could you file a JIRA issue?
Hi @dongjoon-hyun,
I created this PR instead of this one #52084, I can see it's the same bug

@Chhida Chhida requested a review from dongjoon-hyun November 4, 2025 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dongjoon-hyun dongjoon-hyun Awaiting requested review from dongjoon-hyun

Assignees

No one assigned

Labels

WEB UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chhida @dongjoon-hyun