Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL names in dashboard are not HTML escaped #374

Closed
kumar303 opened this issue Jan 11, 2016 · 12 comments
Closed

URL names in dashboard are not HTML escaped #374

kumar303 opened this issue Jan 11, 2016 · 12 comments
Labels
bug hacktoberfest See https://hacktoberfest.digitalocean.com for more info web interface

Comments

@kumar303
Copy link

URL names (for stats) are not HTML-escaped in the dashboard. This makes names with angle brackets disappear. For example:

self.client.get(url, name='/some-resource/upload/<uuid>')

would show up as /some-resource/upload/ instead of /some-resource/upload/<uuid> which is confusing. There could be some XSS security concerns here as well.
@cyberw
Copy link
Collaborator

cyberw commented Oct 18, 2019

Closing due to lack of activity. Let me know if this is still an issue.

@cyberw cyberw closed this as completed Oct 18, 2019
@heyman
Copy link
Member

heyman commented Oct 21, 2019

I just tested this. It's still an issue, and I think we should fix it.

@heyman heyman reopened this Oct 21, 2019
@cyberw cyberw added the hacktoberfest See https://hacktoberfest.digitalocean.com for more info label Oct 21, 2019
@peterdemin
Copy link
Contributor

Can I take it?

@cyberw
Copy link
Collaborator

cyberw commented Oct 23, 2019

@peterdemin By all means!

@peterdemin
Copy link
Contributor

Alright, where do I start? I'm experienced with Python, but new to Locust.

@cyberw
Copy link
Collaborator

cyberw commented Oct 23, 2019

Uhm, if you've never used locust then you would need to start using it first, enough that you can at least reproduce the error.

I'm not even sure where the fix should be applied. Maybe in request_stats() in web.py, on line 111.

@peterdemin
Copy link
Contributor

I'm using locust here and there for a few years already :-) Thanks for the guidance.

@cyberw
Copy link
Collaborator

cyberw commented Oct 23, 2019

Cool, I was confused and thought maybe the hacktoberfest tag had attracted some kind of "drive by contributors" who didnt know what Locust was even for :P

@peterdemin
Copy link
Contributor

No, I just felt the urge to contribute back to the project I enjoy and used the Hacktoberfest label to filter low-hanging fruits.

peterdemin pushed a commit to peterdemin/locust that referenced this issue Oct 23, 2019
Escape HTML entities in endpoint names locustio#374
7e0d71c 
URL names (for stats) were not HTML-escaped in the dashboard.
This made names with angle brackets disappear. For example:

```
self.client.get(url, name='/some-resource/upload/<uuid>')
```

would show up as `/some-resource/upload/` instead of `/some-resource/upload/<uuid>` which is confusing.

I added new key to /stats/request - "safe_name" - so that escaping
is on the server side and javascript has less logic.
@peterdemin
Copy link
Contributor

Fixed in #1119

cyberw added a commit that referenced this issue Oct 23, 2019
@cyberw
Merge pull request #1119 from peterdemin/html-escape-name-GH-374
abd8052 
Escape HTML entities in endpoint names #374
@peterdemin
Copy link
Contributor

This can be closed, I believe.

@cyberw cyberw closed this as completed Oct 24, 2019
@cyberw
Copy link
Collaborator

cyberw commented Oct 24, 2019

Thx!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug hacktoberfest See https://hacktoberfest.digitalocean.com for more info web interface
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@heyman @kumar303 @justiniso @cyberw @peterdemin