Module: check_mk
Branch: master
Commit: a1ab443b17eb90c4a58c66aa89d7c623b4af818e
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a1ab443b17eb90…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jan 20 11:53:04 2015 +0100
#1873 SEC Escaping event text of event console messages correctly in views
Event texts of messages which have been processed by the event console
and resulted in a event might contain HTML code which is now escaped
correctly to prevent XSS attacks when shown in the event console views.
---
.werks/1873 | 12 ++++++++++++
ChangeLog | 1 +
mkeventd/web/plugins/views/mkeventd.py | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/1873 b/.werks/1873
new file mode 100644
index 0000000..e3843e5
--- /dev/null
+++ b/.werks/1873
@@ -0,0 +1,12 @@
+Title: Escaping event text of event console messages correctly in views
+Level: 1
+Component: ec
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i1
+Date: 1421751062
+
+Event texts of messages which have been processed by the event console
+and resulted in a event might contain HTML code which is now escaped
+correctly to prevent XSS attacks when shown in the event console views.
diff --git a/ChangeLog b/ChangeLog
index f530c49..a908613 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -143,6 +143,7 @@
Event Console:
* 1845 Keep record of original source IP address of a syslog message or SNMP trap...
+ * 1873 SEC: Escaping event text of event console messages correctly in views...
* 1839 FIX: Fix exception when notifying EC alert into monitoring for traps (because
PID is missing)
* 1813 FIX: Fixed bug in event console rule editor when no contact groups configured
diff --git a/mkeventd/web/plugins/views/mkeventd.py
b/mkeventd/web/plugins/views/mkeventd.py
index 37d1559..abab801 100644
--- a/mkeventd/web/plugins/views/mkeventd.py
+++ b/mkeventd/web/plugins/views/mkeventd.py
@@ -325,7 +325,7 @@ if mkeventd_enabled:
"title" : _("Text/Message of the event"),
"short" : _("Message"),
"columns" : ["event_text"],
- "paint" : lambda row: ("",
row["event_text"].replace("\x01","<br>")),
+ "paint" : lambda row: ("",
html.attrencode(row["event_text"]).replace("\x01","<br>")),
}
def paint_ec_match_groups(row):