svn merge -c 1588572 FIXES: YARN-1932. Javascript injection on the job status page. Contributed by Mit Desai

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1588577 13f79535-47bb-0310-9956-ffa450edef68

hadoop-yarn-project/CHANGES.txt

@@ -33,6 +33,9 @@ Release 0.23.11 - UNRELEASED
     YARN-1670. aggregated log writer can write more log data then it says is
     the log length (Mit Desai via jeagles)
 
+    YARN-1932. Javascript injection on the job status page (Mit Desai via
+    jlowe)
+
 Release 0.23.10 - 2013-12-09
 
   INCOMPATIBLE CHANGES

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java

@@ -57,11 +57,11 @@ public class InfoBlock extends HtmlBlock {
         	DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv;
             for ( String line :lines) {
               singleLineDiv = td.div();
-              singleLineDiv._r(line);
+              singleLineDiv._(line);
               singleLineDiv._();
             }
           } else {
-            td._r(value);
+            td._(value);
           }
           td._();
         } else {

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java

@@ -21,6 +21,7 @@ package org.apache.hadoop.yarn.webapp.view;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 import org.apache.hadoop.yarn.webapp.ResponseInfo;
@@ -34,6 +35,33 @@ public class TestInfoBlock {
 
   public static PrintWriter pw;
 
+  static final String JAVASCRIPT = "<script>alert('text')</script>";
+  static final String JAVASCRIPT_ESCAPED =
+      "&lt;script&gt;alert('text')&lt;/script&gt;";
+
+  public static class JavaScriptInfoBlock extends InfoBlock{
+
+    static ResponseInfo resInfo;
+
+    static {
+      resInfo = new ResponseInfo();
+      resInfo._("User_Name", JAVASCRIPT);
+    }
+
+    @Override
+    public PrintWriter writer() {
+      return TestInfoBlock.pw;
+    }
+
+    JavaScriptInfoBlock(ResponseInfo info) {
+      super(resInfo);
+    }
+
+    public JavaScriptInfoBlock() {
+      super(resInfo);
+    }
+  }
+
   public static class MultilineInfoBlock extends InfoBlock{
     
     static ResponseInfo resInfo;
@@ -78,4 +106,13 @@ public class TestInfoBlock {
       + " This is second line.\n </div>\n";
     assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData));
   }
+  
+  @Test(timeout=60000L)
+  public void testJavaScriptInfoBlock() throws Exception{
+    WebAppTests.testBlock(JavaScriptInfoBlock.class);
+    TestInfoBlock.pw.flush();
+    String output = TestInfoBlock.sw.toString();
+    assertFalse(output.contains("<script>"));
+    assertTrue(output.contains(JAVASCRIPT_ESCAPED));
+  }
 }