spark icon indicating copy to clipboard operation
spark copied to clipboard
verified publisher icon apache

[SPARK-54624][UI][3.5] Ensure user name in historypage get escaped

Open sarutak opened this issue 1 month ago • 1 comments

What changes were proposed in this pull request?

This PR backports #53364 to branch-3.5.

This PR aims to escape user name displayed in historypage.

Why are the changes needed?

Similar to the issue resolved in #52851, user name should also get escaped because arbitrary user name can be set through the env var SPARK_USER.

Does this PR introduce any user-facing change?

No.

How was this patch tested?

User name displayed in historypage is escaped even if the name is like <script>alert('XSS')</script>

Was this patch authored or co-authored using generative AI tooling?

No.

sarutak avatar Dec 10 '25 10:12 sarutak

~The failed test seems to be related to #53332, not this change.~

sarutak avatar Dec 10 '25 10:12 sarutak