Connection ID is not sanitized and you can self - javascript yourself

[potiuk]

Body

In Admin -> Connection the connection ID is not sanitized when you create it and not sanitized when it is displaye so you can put pieces of javascript in it <script>alert(1)</script> . This is not really a security issue, becaus you cannot do more with it than when you edit/inspect in the browser, but it would be nice to fix it and sanitize connection ID - likely ad the display time.

Committer

• I acknowledge that I am a maintainer/committer of the Apache Airflow project.

[potiuk]

It looks like it's something even deeper in FAB. When. you enter < or { in the connection_id, the Conneciton EDIT crashes with:

It needs a bit closer investigation