Skip to content

[SPARK-54624][UI][3.5] Ensure user name in historypage get escaped #53425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sarutak wants to merge 1 commit into from
Closed

[SPARK-54624][UI][3.5] Ensure user name in historypage get escaped #53425

sarutak wants to merge 1 commit into from

Conversation

@sarutak
Copy link
Member

@sarutak sarutak commented Dec 10, 2025

What changes were proposed in this pull request?

This PR backports #53364 to branch-3.5.

This PR aims to escape user name displayed in historypage.

Why are the changes needed?

Similar to the issue resolved in #52851, user name should also get escaped because arbitrary user name can be set through the env var SPARK_USER.

Does this PR introduce any user-facing change?

No.

How was this patch tested?

User name displayed in historypage is escaped even if the name is like <script>alert('XSS')</script>

Was this patch authored or co-authored using generative AI tooling?

No.

@sarutak
Copy link
Member Author

sarutak commented Dec 10, 2025
edited
Loading

The failed test seems to be related to #53332, not this change.

@sarutak
Copy link
Member Author

sarutak commented Dec 19, 2025

cc: @dongjoon-hyun @yaooqinn who are the reviewers of #53364

dongjoon-hyun
dongjoon-hyun approved these changes Dec 19, 2025
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM. Thank you, @sarutak .

sarutak added a commit that referenced this pull request Dec 19, 2025
@sarutak
[SPARK-54624][UI][3.5] Ensure user name in historypage get escaped
d1790ee 
### What changes were proposed in this pull request?
This PR backports #53364 to `branch-3.5`.

This PR aims to escape user name displayed in historypage.

### Why are the changes needed?
Similar to the issue resolved in #52851, user name should also get escaped because arbitrary user name can be set through the env var `SPARK_USER`.

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
User name displayed in historypage is escaped even if the name is like `<script>alert('XSS')</script>`

### Was this patch authored or co-authored using generative AI tooling?
No.

Closes #53425 from sarutak/fix-username-xss-3.5.

Authored-by: Kousuke Saruta <sarutak@amazon.co.jp>
Signed-off-by: Kousuke Saruta <sarutak@apache.org>
@sarutak
Copy link
Member Author

sarutak commented Dec 19, 2025

Thank you @dongjoon-hyun !
Merged to branch-3.5.

@sarutak sarutak closed this Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

Assignees

No one assigned

Labels

WEB UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sarutak @dongjoon-hyun