escaping/sanitizing plugin output in nagios web interfaces

Ethan Galstad nagios at nagios.org
Tue Apr 10 16:45:32 CEST 2007

Previous message: escaping/sanitizing plugin output in nagios web interfaces
Next message: escaping/sanitizing plugin output in nagios web interfaces
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ton Voon wrote:
> On 9 Apr 2007, at 03:59, Ethan Galstad wrote:
> 
>> I think its a good idea to escape HTML whenever possible.  I think  
>> these
>> kinds of problems can all be avoided by simply escaping the < and >
>> characters.  I've updated the html_encode() function and changed the
>> CGIs to encode all plugin/perfdata output in the CGIs, as well as the
>> command definitions in the config CGI.  I think I've got the code
>> changed in all the necessary places.  Patches will be made the CVS  
>> code
>> (Nagios 2.x and 3/HEAD branches) shortly.
> 
> What about where we *do* want html passed through to the web  
> interface? For instance, we have urlize which wraps the output with  
> an <a href="..."> tag.

Whoops - forgot about that. :-)  I just changed the CVS code to not 
strip HTML from the plugin output at the moment (original 
functionality), but left a strip_plugin_html() stub for stripping out 
some tags in the near future.

> 
> I would prefer Sean's suggestion of allowing "safe" tags. My drupal  
> install has a "filtered HTML mode" which allows <a> <em> <strong>  
> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>, which seems like a  
> reasonable list to allow. Any other tags should be stripped, rather  
> than just encoded, I think.

Sounds reasonable.  I'll get to writing this over the next few days.

> 
> If you agree on a list of allowable tags, I can see this is useful to  
> add to the plugins guidelines.
> 
> Especially with Nagios 3's multi line output, some filtered output is  
> going to be a very useful way of getting data presented in the front  
> end. The front end can also decide whether to display or not.
> 
> I would expect you always encode perfdata and command definitions.
> 
> Ton
> 
> http://www.altinity.com
> T: +44 (0)870 787 9243
> F: +44 (0)845 280 1725
> Skype: tonvoon
> 
> 



Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Previous message: escaping/sanitizing plugin output in nagios web interfaces
Next message: escaping/sanitizing plugin output in nagios web interfaces
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list