Added missing XSS strip based on comparison to 2.0 branch.

Author: ambauma

core/src/main/scala/org/apache/spark/ui/jobs/StagesTab.scala

@@ -38,7 +38,8 @@ private[ui] class StagesTab(parent: SparkUI) extends SparkUITab(parent, "stages"
 
   def handleKillRequest(request: HttpServletRequest): Unit = {
     if (killEnabled && parent.securityManager.checkModifyPermissions(request.getRemoteUser)) {
-      val killFlag = Option(request.getParameter("terminate")).getOrElse("false").toBoolean
+      val killFlag = Option(UIUtils.stripXSS(request.getParameter("terminate")))
+        .getOrElse("false").toBoolean
       // stripXSS is called first to remove suspicious characters used in XSS attacks
       val stageId = Option(UIUtils.stripXSS(request.getParameter("id"))).getOrElse("-1").toInt
       if (stageId >= 0 && killFlag && progressListener.activeStages.contains(stageId)) {