[dev.icinga.com #9036] Plugin output HTML tags are always escaped

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/9036

Created by smadmin on 2015-04-09 12:30:28 +00:00

Assignee: mjentsch
Status: Resolved (closed on 2015-07-07 08:35:05 +00:00)
Target Version: 2.0.0
Last Update: 2015-07-07 08:35:05 +00:00 (in Redmine)

---

We have several custom plugins generating html output like:

  0 Message(s) gesendet

One view causing problems is /icingaweb2/monitoring/service/show

In modules/monitoring/application/views/helpers/PluginOutput.php the code snippet

$config->set('HTML.Allowed', 'p,br,b,a[href],i,table,tr,td[colspan],div[class]');

indicates that this html tags should be allowed.

The page shows that the tags are escaped:

<table>  <tr><td>0 Message(s) gesendet</td></tr></table>

I think this is caused before executing the helper function, because while debugging it used the branch in the if statement marked with "// Plaintext".

The other view is /icingaweb2/monitoring/show/services

There I can not see it using the helper function at all, only an escape. If I remove the escape, it works like expected.

        <?= $this->ellipsis($service->service_output, 10000); ?>

Attachments

• Icinga Web 2 escape removed .jpg smadmin - 2015-04-09 12:29:50 +00:00 - view with escape removed
• Icinga Web 2_with escape.jpg smadmin - 2015-04-09 12:29:50 +00:00 - default view

Changesets

2015-07-06 12:43:32 +00:00 by mjentsch 9d2f0be

Identify perfdata containing html markup properly

refs #9036

2015-07-06 13:36:43 +00:00 by mjentsch 7bda4ce

Do not escape certain HTML markup for plugin output

Use specialized escape functions for plugin output that allow certain HTML formatting to be allowed.

refs #9036

2015-07-06 15:14:36 +00:00 by mjentsch 17bb725

Don't use HTMLPurifier in list views to improve performance

refs #9036

2015-07-07 08:17:04 +00:00 by mjentsch 4f884b1

Revert "Don't use HTMLPurifier in list views to improve performance"

Performance gain turned out to be insignificant. This reverts commit 17bb725f84d41396f43619da3e77829c0b4f0d94.

refs #9036

2015-07-07 08:24:54 +00:00 by mjentsch 604ef87

Merge branch 'bugfix/plugin-output-always-escaped-9036'

fixes #9036

2015-07-08 13:16:32 +00:00 by mjentsch 39df25f

Fix HTML detection in PluginOutput

refs #9036

---

Relations:

• relates #9036

[icinga-migration]

Updated by elippmann on 2015-07-03 14:47:19 +00:00

• Subject changed from Plugin output html tags are always escaped to Plugin output HTML tags are always escaped
• Target Version set to 2.0.0

Hi,

Thanks for the report. We'll fix this asap.

In my opinion we should always escape plugin output w/o bothering HTML in the list views because of performance. In the detail views however, displaying HTML should be fine.

Cheers,
Eric

[icinga-migration]

Updated by mjentsch on 2015-07-06 12:11:31 +00:00

• Assigned to set to mjentsch

[icinga-migration]

Updated by icinga-kanban on 2015-07-06 15:26:13 +00:00

Build !#799 triggered by commit 17bb725 passed successfully.

Branch: origin/bugfix/plugin-output-always-escaped-9036
Author: Matthias Jentsch

[icinga-migration]

Updated by icinga-kanban on 2015-07-07 08:23:24 +00:00

Build !#800 triggered by commit 4f884b1 passed successfully.

Branch: origin/bugfix/plugin-output-always-escaped-9036
Author: Matthias Jentsch

[icinga-migration]

Updated by mjentsch on 2015-07-07 08:35:05 +00:00

• Status changed from New to Resolved
• Done % changed from 0 to 100

Applied in changeset 604ef87.

[icinga-migration]

Updated by tgelf on 2015-10-15 09:08:13 +00:00

• Relates set to 10366