Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make Dest column into clickable links #587

Merged
merged 2 commits into from
Feb 25, 2019
Merged

make Dest column into clickable links #587

merged 2 commits into from
Feb 25, 2019

Conversation

kneufeld
Copy link
Contributor

addresses my issue #508

@CLAassistant
Copy link

CLAassistant commented Dec 20, 2018
edited
Loading

CLA assistant check
All committers have signed the CLA.

pschultz
pschultz reviewed Dec 21, 2018
View reviewed changes
admin/ui/route.go Outdated
@@ -91,7 +91,7 @@ $(function(){
tbl += '<td>' + (i+1) + '</td>';
tbl += '<td>' + r.service + '</td>';
tbl += '<td>' + r.src + '</td>';
tbl += '<td>' + r.dst + '</td>';
tbl += '<td><a href="' + r.dst + '">' + r.dst + '</a></td>';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the attribute have to be escaped? What happens if r.dst contains a quote, for instance?.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose this code is already vulnerable to XSS. I'm gonna fix this in another PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've only seen dst be an ip:port combo, not sure how clicking on a link has anything to do with XSS?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dst is an arbitrary string from the configuration and may contain <script>evilCode();</script>. But again, I've addressed this in #588, so don't worry about it here.

@pschultz pschultz mentioned this pull request Dec 21, 2018
Merged
@magiconair
Copy link
Contributor

Resolved this and I'll merge this for 1.5.11. Hope I did this correctly. @pschultz could you have a quick look, please?

@magiconair magiconair merged commit 2bf608b into fabiolb:master Feb 25, 2019
@magiconair magiconair added this to the 1.5.11 milestone Feb 25, 2019
@magiconair magiconair mentioned this pull request Feb 25, 2019
Closed
@pschultz
Copy link
Member

@magiconair, yes, looks good to me.

@pschultz pschultz mentioned this pull request Apr 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pschultz pschultz pschultz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.5.11
Development

Successfully merging this pull request may close these issues.
4 participants
@kneufeld @CLAassistant @magiconair @pschultz