escaping/sanitizing plugin output in nagios web interfaces

sean finney seanius at seanius.net
Fri Apr 13 18:49:10 CEST 2007

Previous message: escaping/sanitizing plugin output in nagios web interfaces
Next message: Nagios scheduling question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hey guys,

On Tue, 2007-04-10 at 09:45 +0100, Ton Voon wrote:
> 
> What about where we *do* want html passed through to the web  
> interface? For instance, we have urlize which wraps the output with  
> an <a href="..."> tag.

another option would be to allow some commands to be exempt from
filtering via a config option.  i would say that the plugin shouldn't
really concern itself with the details of formatting output in html at
all (and maybe leave it to some "helper" utilities like urlize).  then
of course these helper commands would need to be responsible for
filtering their input (before marking up the output), but at least it
would funnel everything through a single path.

but of course this all goes with the disclaimer that i haven't been
paying any attention to the latest goings-on with multiline output and
nagios3 in general :)

> I would prefer Sean's suggestion of allowing "safe" tags. My drupal  
> install has a "filtered HTML mode" which allows <a> <em> <strong>  
> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>, which seems like a  
> reasonable list to allow. Any other tags should be stripped, rather  
> than just encoded, I think.

spending a little time thinking about this, i think there could still be
problems if we allowed certain tags.  for example, what about if an <a>
tag contained embedded javascript?  i'm not sure there's any way to do
this safely without going all the way down the road to using an html
parser.

	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20070413/2a458c8d/attachment.sig>
-------------- next part --------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

Previous message: escaping/sanitizing plugin output in nagios web interfaces
Next message: Nagios scheduling question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list