(spark) branch branch-4.0 updated: [SPARK-54624][UI][4.0] Ensure user name in historypage get escaped

Wed, 17 Dec 2025 23:42:03 -0800 

This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-4.0 by this push:
     new 50659fcccb0b [SPARK-54624][UI][4.0] Ensure user name in historypage 
get escaped
50659fcccb0b is described below

commit 50659fcccb0b370b9acd4e2fdcb410ab4306cefc
Author: Kousuke Saruta <[email protected]>
AuthorDate: Wed Dec 17 23:40:31 2025 -0800

    [SPARK-54624][UI][4.0] Ensure user name in historypage get escaped
    
    ### What changes were proposed in this pull request?
    This PR backports #53364 to `branch-4.0`.
    
    This PR aims to escape user name displayed in historypage.
    
    ### Why are the changes needed?
    Similar to the issue resolved in #52851, user name should also get escaped 
because arbitrary user name can be set through the env var `SPARK_USER`.
    
    ### Does this PR introduce _any_ user-facing change?
    No.
    
    ### How was this patch tested?
    User name displayed in historypage is escaped even if the name is like 
`<script>alert('XSS')</script>`
    
    ### Was this patch authored or co-authored using generative AI tooling?
    No.
    
    Closes #53424 from sarutak/fix-username-xss-4.0.
    
    Authored-by: Kousuke Saruta <[email protected]>
    Signed-off-by: Dongjoon Hyun <[email protected]>
---
 core/src/main/resources/org/apache/spark/ui/static/historypage.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/core/src/main/resources/org/apache/spark/ui/static/historypage.js 
b/core/src/main/resources/org/apache/spark/ui/static/historypage.js
index d847efa2f7ff..853dfa708ef4 100644
--- a/core/src/main/resources/org/apache/spark/ui/static/historypage.js
+++ b/core/src/main/resources/org/apache/spark/ui/static/historypage.js
@@ -216,7 +216,11 @@ $(document).ready(function() {
             data: 'duration',
             render: (id, type, row) => `<span 
title="${row.durationMillisec}">${row.duration}</span>`
           },
-          {name: 'user', data: 'sparkUser' },
+          {
+            name: 'user',
+            data: 'sparkUser',
+            render: (name) => escapeHtml(name)
+          },
           {name: 'lastUpdated', data: 'lastUpdated' },
           {
             name: 'eventLog',


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to