From f7c7dec7cb22b8b1d45832c9625c07764bc81c94 Mon Sep 17 00:00:00 2001 From: Luna Stadler Date: Fri, 22 Sep 2023 10:23:24 +0200 Subject: [PATCH] Escape values in `field_format` templates These could be used to run XSS attacks if an attacker has control over the parameters in some way, e.g. with the `request.url` parameter used in the example config: https://github.com/spreadshirt/es-stream-logs/blob/main/config.json#L17-L20 The parameters are now escaped before being sent to the client, which then renders them via `.innerHTML` to allow custom HTML as specified in the config: https://github.com/spreadshirt/es-stream-logs/blob/main/static/enhance.js#L343-L346 --- render/render_html.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/render/render_html.py b/render/render_html.py index 2ac3d2a..0b7e7cc 100644 --- a/render/render_html.py +++ b/render/render_html.py @@ -291,7 +291,7 @@ def get_value(self, key, args, kwargs): val = kwargs.get(key) if isinstance(val, dict): return DotMap(val) - return val + return escape(val) class DotMap(dict): @@ -301,4 +301,4 @@ def __getattr__(self, attr): val = self.get(attr) if isinstance(val, dict): return DotMap(val) - return val + return escape(val)