daxi20/bird-lg-go
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

frontend: disable escaping of special HTML chars for BGPMap graph

Browse Source
This commit is contained in:
Lan Tian
2024-07-01 21:16:43 -07:00
parent f0f072c4a6
commit 0dd1c07b66
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
frontend/bgpmap_graph.go
View File

@@ -1,6 +1,7 @@
package main package main
import ( import (
"bytes"
"encoding/json" "encoding/json"
"fmt" "fmt"
"strings" "strings"
@@ -69,11 +70,15 @@ func (graph *RouteGraph) attrsToString(attrs RouteAttrs) string {
} }
func (graph *RouteGraph) escape(s string) string { func (graph *RouteGraph) escape(s string) string {
result, err := json.Marshal(s) buffer := &bytes.Buffer{}
encoder := json.NewEncoder(buffer)
encoder.SetEscapeHTML(false)
err := encoder.Encode(s)
if err != nil { if err != nil {
return err.Error() return err.Error()
} else { } else {
return string(result) return string(buffer.Bytes())
} }
} }

2
frontend/bgpmap_test.go
View File

@@ -33,7 +33,7 @@ func TestBirdRouteToGraphvizXSS(t *testing.T) {
fakeResult, fakeResult,
}, fakeResult) }, fakeResult)
if strings.Contains(result, "<script>") { if strings.Contains(result, fakeResult) {
t.Errorf("XSS injection succeeded: %s", result) t.Errorf("XSS injection succeeded: %s", result)
} }
} }