Re: [Nagios-devel] escaping/sanitizing plugin output in nagios web
Posted: Tue Apr 10, 2007 12:46 am
On 9 Apr 2007, at 03:59, Ethan Galstad wrote:
> I think its a good idea to escape HTML whenever possible. I think
> these
> kinds of problems can all be avoided by simply escaping the
> characters. I've updated the html_encode() function and changed the
> CGIs to encode all plugin/perfdata output in the CGIs, as well as the
> command definitions in the config CGI. I think I've got the code
> changed in all the necessary places. Patches will be made the CVS
> code
> (Nagios 2.x and 3/HEAD branches) shortly.
What about where we *do* want html passed through to the web
interface? For instance, we have urlize which wraps the output with
an tag.
I would prefer Sean's suggestion of allowing "safe" tags. My drupal
install has a "filtered HTML mode" which allows
, which seems like a
reasonable list to allow. Any other tags should be stripped, rather
than just encoded, I think.
If you agree on a list of allowable tags, I can see this is useful to
add to the plugins guidelines.
Especially with Nagios 3's multi line output, some filtered output is
going to be a very useful way of getting data presented in the front
end. The front end can also decide whether to display or not.
I would expect you always encode perfdata and command definitions.
Ton
http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]