[SPARK-54857][WEBUI][TESTS] Add test ensuring user name and app name in historypage get escaped

### What changes were proposed in this pull request?
This PR proposes to add tests for SPARK-53337 and SPARK-54624.

### Why are the changes needed?
To ensure user name and app name in historypage get escaped.

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Add new test.

### Was this patch authored or co-authored using generative AI tooling?
No.

Closes #53628 from sarutak/add-xss-test.

Authored-by: Kousuke Saruta <[email protected]>
Signed-off-by: Kousuke Saruta <[email protected]>

Author: sarutak

core/src/test/resources/HistoryServerExpectations/application_list_json_expectation.json

@@ -1,4 +1,19 @@
 [ {
+  "attempts" : [ {
+    "appSparkVersion" : "4.2.0-SNAPSHOT",
+    "completed" : true,
+    "duration" : 2006,
+    "endTime" : "2025-12-27T14:15:12.221GMT",
+    "endTimeEpoch" : 1766844912221,
+    "lastUpdated" : "",
+    "lastUpdatedEpoch" : 0,
+    "sparkUser" : "<script>alert('XSS')</script>",
+    "startTime" : "2025-12-27T14:15:10.215GMT",
+    "startTimeEpoch" : 1766844910215
+  } ],
+  "id" : "local-1766844910796",
+  "name" : "<script>alert('XSS')</script>"
+}, {
   "attempts" : [ {
     "appSparkVersion" : "3.3.0-SNAPSHOT",
     "completed" : true,

core/src/test/resources/HistoryServerExpectations/completed_app_list_json_expectation.json

@@ -1,4 +1,19 @@
 [ {
+  "attempts" : [ {
+    "appSparkVersion" : "4.2.0-SNAPSHOT",
+    "completed" : true,
+    "duration" : 2006,
+    "endTime" : "2025-12-27T14:15:12.221GMT",
+    "endTimeEpoch" : 1766844912221,
+    "lastUpdated" : "",
+    "lastUpdatedEpoch" : 0,
+    "sparkUser" : "<script>alert('XSS')</script>",
+    "startTime" : "2025-12-27T14:15:10.215GMT",
+    "startTimeEpoch" : 1766844910215
+  } ],
+  "id" : "local-1766844910796",
+  "name" : "<script>alert('XSS')</script>"
+}, {
   "attempts" : [ {
     "appSparkVersion" : "3.3.0-SNAPSHOT",
     "completed" : true,

core/src/test/resources/HistoryServerExpectations/limit_app_list_json_expectation.json

@@ -1,4 +1,19 @@
 [ {
+  "attempts" : [ {
+    "appSparkVersion" : "4.2.0-SNAPSHOT",
+    "completed" : true,
+    "duration" : 2006,
+    "endTime" : "2025-12-27T14:15:12.221GMT",
+    "endTimeEpoch" : 1766844912221,
+    "lastUpdated" : "",
+    "lastUpdatedEpoch" : 0,
+    "sparkUser" : "<script>alert('XSS')</script>",
+    "startTime" : "2025-12-27T14:15:10.215GMT",
+    "startTimeEpoch" : 1766844910215
+  } ],
+  "id" : "local-1766844910796",
+  "name" : "<script>alert('XSS')</script>"
+}, {
   "attempts" : [ {
     "appSparkVersion" : "3.3.0-SNAPSHOT",
     "completed" : true,
@@ -28,19 +43,4 @@
   } ],
   "id" : "application_1628109047826_1317105",
   "name" : "Spark shell"
-}, {
-  "attempts" : [ {
-    "appSparkVersion" : "3.1.0-SNAPSHOT",
-    "completed" : true,
-    "duration" : 363996,
-    "endTime" : "2020-07-07T03:17:04.231GMT",
-    "endTimeEpoch" : 1594091824231,
-    "lastUpdated" : "",
-    "lastUpdatedEpoch" : 0,
-    "sparkUser" : "terryk",
-    "startTime" : "2020-07-07T03:11:00.235GMT",
-    "startTimeEpoch" : 1594091460235
-  } ],
-  "id" : "app-20200706201101-0003",
-  "name" : "Spark shell"
 } ]

core/src/test/resources/HistoryServerExpectations/minDate_app_list_json_expectation.json

@@ -1,4 +1,19 @@
 [ {
+  "attempts" : [ {
+    "appSparkVersion" : "4.2.0-SNAPSHOT",
+    "completed" : true,
+    "duration" : 2006,
+    "endTime" : "2025-12-27T14:15:12.221GMT",
+    "endTimeEpoch" : 1766844912221,
+    "lastUpdated" : "",
+    "lastUpdatedEpoch" : 0,
+    "sparkUser" : "<script>alert('XSS')</script>",
+    "startTime" : "2025-12-27T14:15:10.215GMT",
+    "startTimeEpoch" : 1766844910215
+  } ],
+  "id" : "local-1766844910796",
+  "name" : "<script>alert('XSS')</script>"
+}, {
   "attempts" : [ {
     "appSparkVersion" : "3.3.0-SNAPSHOT",
     "completed" : true,

core/src/test/resources/HistoryServerExpectations/minEndDate_app_list_json_expectation.json

@@ -1,4 +1,19 @@
 [ {
+  "attempts" : [ {
+    "appSparkVersion" : "4.2.0-SNAPSHOT",
+    "completed" : true,
+    "duration" : 2006,
+    "endTime" : "2025-12-27T14:15:12.221GMT",
+    "endTimeEpoch" : 1766844912221,
+    "lastUpdated" : "",
+    "lastUpdatedEpoch" : 0,
+    "sparkUser" : "<script>alert('XSS')</script>",
+    "startTime" : "2025-12-27T14:15:10.215GMT",
+    "startTimeEpoch" : 1766844910215
+  } ],
+  "id" : "local-1766844910796",
+  "name" : "<script>alert('XSS')</script>"
+}, {
   "attempts" : [ {
     "appSparkVersion" : "3.3.0-SNAPSHOT",
     "completed" : true,

core/src/test/resources/spark-events/eventlog_v2_local-1766844910796/.appstatus_local-1766844910796.crc

@@ -390,6 +390,23 @@ abstract class HistoryServerSuite extends SparkFunSuite with BeforeAndAfter with
     assert(response.contains(SPARK_VERSION))
   }
 
+  test("SPARK-54857: XSS prevention in application and user names") {
+    implicit val formats = org.json4s.DefaultFormats
+
+    val appId = "local-1766844910796"
+    val response = getUrl(s"applications/$appId")
+    val app = JsonMethods.parse(response)
+
+    // Verify that malicious content is present in JSON (not escaped at API level)
+    (app \ "name").extract[String] should be ("<script>alert('XSS')</script>")
+    val attempt = (app \ "attempts")(0)
+    (attempt \ "sparkUser").extract[String] should be ("<script>alert('XSS')</script>")
+
+    // Verify that the history page HTML properly escapes the content
+    val historyPage = HistoryServerSuite.getUrl(buildPageAttemptUrl(appId, None))
+    historyPage should not include "<script>alert('XSS')</script>"
+  }
+
   /**
    * Verify that the security manager needed for the history server can be instantiated
    * when `spark.authenticate` is `true`, rather than raise an `IllegalArgumentException`.

core/src/test/resources/spark-events/eventlog_v2_local-1766844910796/appstatus_local-1766844910796

@@ -88,6 +88,7 @@ local-1430917381534
 local-1430917381535_1
 local-1430917381535_2
 local-1642039451826
+eventlog_v2_local-1766844910796
 DESCRIPTION
 NAMESPACE
 test_support/*