[checkmk-commits] Check_MK Git: check_mk: #1873 SEC Escaping event text of event console messages correctly in views

20 Jan 2015

Module: check_mk
Branch: master
Commit: a1ab443b17eb90c4a58c66aa89d7c623b4af818e
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a1ab443b17eb90…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Tue Jan 20 11:53:04 2015 +0100

#1873 SEC Escaping event text of event console messages correctly in views

Event texts of messages which have been processed by the event console
and resulted in a event might contain HTML code which is now escaped
correctly to prevent XSS attacks when shown in the event console views.

---

 .werks/1873                            |   12 ++++++++++++
 ChangeLog                              |    1 +
 mkeventd/web/plugins/views/mkeventd.py |    2 +-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.werks/1873 b/.werks/1873
new file mode 100644
index 0000000..e3843e5
--- /dev/null
+++ b/.werks/1873
@@ -0,0 +1,12 @@
+Title: Escaping event text of event console messages correctly in views
+Level: 1
+Component: ec
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i1
+Date: 1421751062
+
+Event texts of messages which have been processed by the event console
+and resulted in a event might contain HTML code which is now escaped
+correctly to prevent XSS attacks when shown in the event console views.
diff --git a/ChangeLog b/ChangeLog
index f530c49..a908613 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -143,6 +143,7 @@
 
     Event Console:
     * 1845 Keep record of original source IP address of a syslog message or SNMP trap...
+    * 1873 SEC: Escaping event text of event console messages correctly in views...
     * 1839 FIX: Fix exception when notifying EC alert into monitoring for traps (because
PID is missing)
     * 1813 FIX: Fixed bug in event console rule editor when no contact groups configured
 
diff --git a/mkeventd/web/plugins/views/mkeventd.py
b/mkeventd/web/plugins/views/mkeventd.py
index 37d1559..abab801 100644
--- a/mkeventd/web/plugins/views/mkeventd.py
+++ b/mkeventd/web/plugins/views/mkeventd.py
@@ -325,7 +325,7 @@ if mkeventd_enabled:
         "title"   : _("Text/Message of the event"),
         "short"   : _("Message"),
         "columns" : ["event_text"],
-        "paint"   : lambda row: ("",
row["event_text"].replace("\x01","<br>")),
+        "paint"   : lambda row: ("",
html.attrencode(row["event_text"]).replace("\x01","<br>")),
     }
 
     def paint_ec_match_groups(row):


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[checkmk-commits] Check_MK Git: check_mk: #1873 SEC Escaping event text of event console messages correctly in views