> On 9 Apr 2007, at 03:59, Ethan Galstad wrote:
>
>> I think its a good idea to escape HTML whenever possible. I think
>> these
>> kinds of problems can all be avoided by simply escaping the
>> characters. I've updated the html_encode() function and changed the
>> CGIs to encode all plugin/perfdata output in the CGIs, as well as the
>> command definitions in the config CGI. I think I've got the code
>> changed in all the necessary places. Patches will be made the CVS
>> code
>> (Nagios 2.x and 3/HEAD branches) shortly.
>
> What about where we *do* want html passed through to the web
> interface? For instance, we have urlize which wraps the output with
> an tag.
Whoops - forgot about that.
I just changed the CVS code to notstrip HTML from the plugin output at the moment (original
functionality), but left a strip_plugin_html() stub for stripping out
some tags in the near future.
>
> I would prefer Sean's suggestion of allowing "safe" tags. My drupal
> install has a "filtered HTML mode" which allows
> , which seems like a
> reasonable list to allow. Any other tags should be stripped, rather
> than just encoded, I think.
Sounds reasonable. I'll get to writing this over the next few days.
>
> If you agree on a list of allowable tags, I can see this is useful to
> add to the plugins guidelines.
>
> Especially with Nagios 3's multi line output, some filtered output is
> going to be a very useful way of getting data presented in the front
> end. The front end can also decide whether to display or not.
>
> I would expect you always encode perfdata and command definitions.
>
> Ton
>
> http://www.altinity.com
> T: +44 (0)870 787 9243
> F: +44 (0)845 280 1725
> Skype: tonvoon
>
>
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]