From 643087e5ba2c13df6ebf3132b821cb3c076a8e43 Mon Sep 17 00:00:00 2001
From: Kousuke Saruta <sarutak@amazon.co.jp>
Date: Wed, 10 Dec 2025 04:33:18 +0900
Subject: [PATCH] Escape user name

---
 .../resources/org/apache/spark/ui/static/historypage.js     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/core/src/main/resources/org/apache/spark/ui/static/historypage.js b/core/src/main/resources/org/apache/spark/ui/static/historypage.js
index d847efa2f7ff..853dfa708ef4 100644
--- a/core/src/main/resources/org/apache/spark/ui/static/historypage.js
+++ b/core/src/main/resources/org/apache/spark/ui/static/historypage.js
@@ -216,7 +216,11 @@ $(document).ready(function() {
             data: 'duration',
             render: (id, type, row) => `<span title="${row.durationMillisec}">${row.duration}</span>`
           },
-          {name: 'user', data: 'sparkUser' },
+          {
+            name: 'user',
+            data: 'sparkUser',
+            render: (name) => escapeHtml(name)
+          },
           {name: 'lastUpdated', data: 'lastUpdated' },
           {
             name: 'eventLog',